


Institutional Archive of the Naval Postgraduate School 





Calhoun: The NPS Institutional Archive 
DSpace Repository 


Theses and Dissertations l. Thesis and Dissertation Collection, all items 


1983 


Design of a secure local network: thesis ... 


Cuadros, Ricardo. 


Monterey, California. Naval Postgraduate School 


http://hdl.handle.net/10945/19735 


Downloaded from NPS Archive: Calhoun 


| Calhoun is the Naval Postgraduate School's public access digital repository for 
Р К D U DLEY research materials and institutional publications created by the NPS community. 
FW И Calhoun is named for Professor of Mathematics Guy K. Calhoun, NPS's first 


ч || КМОХ appointed — and published — scholarly author. 
| In D 
| LIBRARY Dudley Knox Library / Naval Postgraduate School 
411 Dyer Road / 1 University Circle 
Monterey, California USA 93943 





http: //wwwenps.edu/library 
















m А 
а мя ET ha 2 | 


в 
e ае пае 
И Е ДЕ 


AMET 





us AA ts А ОИ AR de YA A „УЗ ы 8 
У ЦРА А < на 5 МУ У АТАКЕ r 7 
XN ЦС 0 N n Ма EHRE па КА \ ката cer үч An an) АНИ Ы! ја рум O Ды Аы АЕ Т MUN 
wh, Б А D H von м == п гр адан ЯДА, Аы Кука А ДЕВОЛ PSR Sie A ИЗ ОБА Aa LE Да КА EA FE T 
е ү Ал SR RS AA PELA CET Ee [S RE НИЕ ОД ЧАД ОФ ТИМА АНЕ e eer D; NAME As en ни OS an Wat eH e CANA o ai Tiaka 
кылды a МЕ SER MESES XD 4 Bios NAE SiS era Erie: ИИ а An Bi 
moy 





ie Слим қ 
+ 4 


d С ДАЛЕ МО dro TUE TY TY 

ae "On rr ИУУУДТА ДЫ Му AY И 

й 7 Ф M m А nu MAS с ER “fy 
K. 


Ф 
ir, Н 


































1 м 
" РЕТ E 
CC S eR АС 
ш i RARE ES р сан SOR Re oe ay н 
rto PEEL ~ a PEN Lm К ЫН “ Е О РРА НО ИЛИ 3 С ^ vh n mt fis JOA ЕА 1% d ro е КЕ 
За ^ ple И CDS RI Me CES RE ағы mie itat Ира EO iu acre pom MOS АКОН NINE POLE a rg A iis Желке а EUER ИО Нам 
ATA [4 RN s Ач ти МА ИК posee А une MES d А АИ У у у Би ea "НОАМ aie НА Ис: de ВОДЕ ES! ия de na e рај ба чула Ins НЕНИ У 
Rush RAS ne Aa A оф A A ARAS АЛИ ИЦ E LX Ji dad tk ae rt Te TE RETTET Barr СОЧ КГ Пи Ber TE НЕДА CHO CM A PETE а А 
Сее а ЫЫ ЫЧ ~ DENEN ленае Wed IM ГКАЛ тестери ann Е ELS ^m itp Attiva ta Be ae И < icm Н ЗА ED Ara А а и Да АИ Ча АНА иу дн; Ey Ae "КЫ 4 г гу? 
EY SUL RT TAS AMI RAS т re d AT 254120 LB PEN АИК, P^ зы OA М = a Het pie He пле АИ АИНУ СЫ НН Ada n A E E ај PERA er d 
La parle А id • DUM А ма к зае РЕА ФК ЧЕ Ре а tM AND E ever eric ym TED! ness > 1 ААА, T oer LEER ELITE seti 44 ПАДА Ку 4. * M gom Chee Ay ТӘ HEU ud 
а БА RER xt ы ea M с ЫЫ ET АУ TP PU АНИ е oral RN Ар а-а ЦД A at Rena, 
nr) Ае A Г Аэ Elo OS SI А ud Дико IN ЛАШ ҮЙ О ОК. a tel Pine А. we АЫ ИТАН мерила» У АУ И A DDR s EM IES As T. EPI x су E 
A A A ан A mano еди ЖИ ВН ogro Ga PA DIES SP QN аниа LIE К ДС Радо 
^ PA td au ЫА] x Въ Ee A .. ы E Path ETT CREE U FA ve H eo ЈАКО ТИ де A е " » у n . AS HD STIER y A 1 efe 4 a An „4 А ИИ г CA e P» САН 
чә A A A A ARS EA WA tiiv UN ҰНАСА не Mer iioii а Ни ОРН НИ И Аы ql ТАР Oro br д ОМ gP i ДА E E oe ыы В мы 
VEM НИ ҮР o REA E Ае ера и Фрая m UEM a Phy НИ РО Y ры о ИЕ ТИ а јр 
ve CN > И ARA ЫШ CES PTS RA] Do pu А КҮНОО ОРЛОВИЋ PT Ыр tp ey PERE ELS IPIE zu. МИ 
~ BR DeL EDI I Aa. Қы ЫНЫ А е SEP: КА НИЧ NR PETTAI ¡pia lea? urn IRAN 5 о ДОНИ 8:9 B3 ac УЧИ v" а ТУНАТ LET pal Ae 
oce els eh anta АҚЫН orar dl tod у А a ан ра аи NX E nd e N Te ВН им A ући у ӘБ WA и у y AE Ир ти ПУДРА сан БД ад 
ee EEE ad Elda e Bor RU Lb. A А RT ы у AL IR RE Ае КРИЗЕ Ehe Tugri 4 Yon НО ae РОС 2 44% Y ДА ера пе тох epa AA A A of > е 
SS ics ЩЕ or НН Р ee СКД DII ES HEN e АКО. eai ei; c Macr b AA А Ао тру “ anpe. Права Мо AA КЕРИ FA Jo лиле 
e АА. 8р A З о ААА M Не АНН Пеер oer rtr 200. РАИ И ПР УНИ МИ mr ee 25 мет и ОН үр күс ee I Pee ун Pene sio Pid 
NA Ruh yA ср Нери Ае reed pl RES PR pela р, ACA APPEAR ES TER тео: TAS T pen eom rp У РО M Дард A ДОД И EDT Да Вт eo A 4 дож éd: P T vog rr 
~ m^ a RN N н Vei, Lari арии АВА do ty de ТЫТ tb ау: МАХ Бч ТИН КИЛИ УИ EE o дю лил, А а ум И ОРН ны 
е» Н с aan a pei Pri ЖАШЫН Ми "s Pp ees Боа Ири gd, y Lt AMIA OA ККК КЕН АШ АНА dee ur A ЕТЕТ РЧ Voy УРА ТА PDA TT RS NI а A Ia E ET, НЫ ДАР 
5 Е МА ДУУ | MÜHE: Y АЩ MS "reed, e is | 4 ә џ е ПОВРАТИЛА У ет dot 
у 5 # еи СТ T оне Ауа PHI A ТАЛ АРТСА ТАРЫ re ма ИА: г И EN RG Т2) тра фе р 
OPE A A ir SIV ы ы АҚЫ САЛА Бы НУ preste mds AR e 4 УУ ТО на үз 
Ч IH ан bel as Pr с = re goes АЯ МИ кун Гонда а epis 
ЕЕ RETTET Т prre p EDGE ия 
РК en 


IAS 
р mu РАЯ 
A SS РОА У 





КА и ЧМ оси ES 
О па : 
E Ам tar lo e read do aa Коро СКА al ELE GE mito ne р t 
O cepe а а wh ERSTE Е ed Rant E ов ЕЛ E see cords eye ЛИ SE ide UA) CMMI ER RR SUC 
in є УР ig Qa Cu qe. VHC e UNT ПАО О АИ А pei reefs NEN sa а Ме М ТІЛЕДІ К ets y T МАЗНА и rA H А 
Dio ipa etr N re ee euer Nr PEDE PELLE У АЊА н n Бала pow ero Harp ат 
Е MN PEREA те 1989 eh РО РА Lirios Dado ltd GD АННАН hpa min a а р зл 
Bit ey та Я СН о ВАР Е we Hs енн re Ra У Е es u 


КА: 2. а 4 
PIA АЈ А А he Pe el А > 
A кулы Асу Арғы ди ВВ] mi à LEN Aa IL dd ы пы LI В 2 ur M = 
А ИК АОН ^vi v. ME ОКО M oU els gi 1 Ady Sn ЧА, у pro Ки Cg evi РР УЕ 
л р md LI [T4 


к le 

TEL ad PA еа LAT aa] 
На неру Н ЕУР Um vo Pp re eh Poem [^w 
A УУ AR ао е A ian war 2 

4 Ыга ge: SU EI AP НА ФН ЖОЙ E e 






ARCU TTE di H 
ОТИТ us ese a с ООС 








4 
t LET N гҹ - а 
к E erdt tet рада е КОИ Беара ern Semel 
a РА Ы ЕЕ АДА ИРА КО er ac en nts 
седеф AN А СИТА ^ н Parar Y је ER ra era аен CONECTA TI ‚Hr "vote el | 
Se ла 52% ИНО АИ ПАВ apr ie S en qe PLATEA PEE eon ТИ ee REN s ИАТА q 
AA ры кы MTM ПЕТА та [М pe " damen? БАИТ ОИ [ pr iv ri "5 H Да wer т puo Ls E ras J fi ^ H 1955. Е Е бы KE 4, + Ew мр No ae 
eed Seen i ARS EL d e s Р т EISE Nd. ҚЫРЫНА ЫЫ ы RT EEE А Бен PHIL АТ иа АИИ амур RAT жау” ықы БЕ Пек EUH Ур сие Ум, BER 4 fe- | Качи Ду при А ма ринг ње FE (LA HL TH u ЕЕ v 
PE po AA ES EU d E dO EO dere ың p ra Ur EE e D e Dr | ad O Pi ЧЕ ЕДРИ Ри adis о А лей ra rimar НН PRAI DEET кл dep К Қалды 
Ба ы Ри РИА dd МАУ бют лее НТ И A ИСТО SAA ым ырым К Иа Y PAL ГА Е 
О as Near MERCI ADIT 
AE СЖ РА 


ОДА ТАНТАЛ LT MT ; ay b 
ПИ НИ > аа а ра 


N 
Mr vo p ei^: > 
M H № t 
пут елиту у I ДИ, tcu NIS Doy Fa Ema Ep САЛТЫ 
Е АКЫ 


un Күч үзө 25 x n 4 hcl 
n dde da СМЕНА da зе T PROS NS pant! И „ы TONES O е n ever pice v У и јоне tele? pit 





ПРАСЕ ИРА УМОР У ИРА УУ ТН 
0 аты P ТИ А УДАЈУ 
A ИРАК Praha OH AO [ec mor ev s 





eterne а 
Dc aid Hr Af ite meaty yt tee 


Jae ан ГАК ЫНАН ЫИ 
ЫМ ааа Ы BL TEE DE He ДИ 
АНИ НС АНИ akaa 


















ИК ТА ааа 
ran zi DU TEE Я с 
О AN RN 
he EIER ET SER LEITEN GEHE Ur ае ЧН Не aT 
7 I ry Y n Lad Ж at Е . М ws £ р P „ 
АА ie pe ада ар cc АН Le Leer E E OD aa eR Кини ан Сует етее ге е оН НИНЕ ВН 
С У ER. ae RED Ее: rer PAD Pa Ne A 2.233 da ОА КДА e e ККЕ ac Н РРА А АИ ње РЕАДЕР "eder ИРА A ELS PO OR o i disi РА x - ae Р 
ES re EEE E IN ce ER LN CR eR Hg PR Tota eR р ИЕ Ея 
2 A AA RR O E RR ч "Hle eA ИЕ ЧАИ АА nu MEE НО Е НН н : | Нот ра 
Е у TI б и LUE б З = CETT O ат і р es Ts л y 4 ~ = 5 
urn gd Ny her gi Ка > МАН АРА РА ER И TJA. А n чей AS ..... X АЦО dH c у ; H Ор 
e A ЕУ Дин АН "i | eae ЕТ 
КАНИЕТ чан Peter wv T в АТ эф! 
rotons td ARAS 





ЛЯ 





+ tec 452262 X А АО 4 
Му PALA NASA NN A ОА К dark adr rg Rr AS 





А 7 H р А Е. y 4 = 

ITI PES аи N et Yan NEAR TR a јеку КА ART фео АН Н АТ 5 E 
ripas A EH E ATM АХ TAS писани S 

API AA 24 = 

КОТА ТУАСЫ 


Р Ар АРЧЫ нр н 
А а td e ee ЫА СД EHRE ARE IDEE 
күлө" Мин. ee ДаГЫ e. A ES RI O A EAS heels COE i OE TOT ET TE N : 
4 EC қонақ АЕ» нат ҰР Аа rr rey ed LE Rd SEA, hoa oe HET er ачи оа Jd e el HU oe dde En фет i dai N ch ДА A 50 
К Ноти ee secte bep EEE ав РИ а Br К К ИГЕ Cu NA A Lore OL И меле 24-26 А SE ed 
АРТЕ Hn аЬ: A A A A Да AA ean IA AO а a 
PATA A A Ио Й RL erp vr arch ga deh sewed ba ДОЗА ИК НГ ER nen 





Е 
2) О RE 
м DET. QW Me АЈА ES os ass deis rer 5 PAN CAD AVI УОТУ ad i 5 
rn ai an dei АЧ АУУ Бады Se Cooper Peli РА АБА КАДЕТ е H Ме АРА СОИС РК КНК ee) О ; 
BE T пари сделка ива аа Dv ne Ree e M e ect Et Ru ЕНИ UR ARI AREE HAE ҰЛЫ AE ELEME Ly Cac 
rere A he ie ent e Dr dia вот Male ы un Ein SE SNR Као EE етан О аери AS AAA een "aT D ста s Here ы ПСИ ен e Я 
2 ie = Tu Frische vv д ger A лы Ал ел АС ton АДИ ETO INT BE тез ee re LER PT N eig T rp су жолы A C PD У D eH 
ы rediere LP: AER RAR el qo i РК С са ee A ыы Аты, салады Erd 
M + E f кл е УУ IIT eaten 2-8 ДД арі D PER “ 








Хи > А cp 
уан ра 62 ра а ТА РН EV Е 
heh, A oae mri LI XL E pe as LP dua dA б КАРИЕ ы А 5 - 
И GE BEER] RO A A A е ire ЧААК ОИ СЕНЕК РАК СН ЫИ ЗА 
7. е? ще ~ со уља E Dno P K p oq ыы ы М a , En E ` р М Б E t. 
PETE EN EEE TE A e a go Sg ЕО А CO НИ ИИ TH US RA RES 
ae e a re e 2,21 ferrita ae E Qa Che e RE тубан ee ler МА ДА ПА АУТО А ИО ИМ вте ts ы Ы да ЫЛЫ ДЫ алы А Аы YA RS IS op пи јер И ИА из ЕА AD IA RAS pu РУ 
Ann СА дан челин Beles A И ОН па а фра рани ыт apte i^. Уа на и A ао Фор hr уе ou 
“фр О а ак a сре а У гычы „АКЫ оле ine pe N Hid er er adit. pat M [Hr isti Fal ee or dx fesso ee er TL hm sat Lay X À до Рур унс OREL DE и ae 6 jee rj h 
ed А А ОР FE РЕ ert > PS A Га ri we: Ea ades ipu GI ird 
an he A чаны hater rot pea Dr aa фин 1577 ео sta ci Hes DG nes Au i Нева hdd амо M РЕМ НИ ИУ ИУ Ио Орум Ра ғ рлы ај арынын тан та ae e aE ae i 
I феи T ER НО Mt eet Me SEEN БРИ ЕС сла ЧИН gi cH CE AER ДАНИ Пе НИС права rere epo j ИАА 
vd au were = e ~ ri E PME жалт сен edt р ПРО ЗИМИ а E odas dh bad eoe e 56 wu en denne) IMP пад bar МАТА РАД ee d per v G 4 у 4 сарро у A ае 
cons БИ 2 Уда A пее ер ро 5 ^p % ынаны ы ААА Атым а АМ pS Ya eon € 1 еде papi tet. р u N Нера 44; 
at E 0 у" анаа реј отара e vereda aerae fpi pa URP THES а ч ым АТАНУЫ ао e АНД тыр мерт тумен тық ТАТАН рл арча ара НИ 4: m 4 . POS AI A A А 
mehr d rr SE RES ET SET UT PET ЕЛЕЕ Дусте арче t ТЫ ee ае Ц н ИНОН ТАН tat tees pode ДЕІН уы ee р : en te 
qM TS quedo 2 i or clint bet Be > ht о а DEI Calo lea Xs МЕТОК ЕК -— ws ER 
A A AR реј eat Sache ne Fee A ам Мама е BL өү ӨҢ? Ын уа Йала 4 
аи и ра ЗИМА E Mew Mer асе Menu o qe prot 
О ее рен 
= * шыш e - ... ЛЕА) Len d 

















Пру УРА 








РРА A ЛЛУ елен ы A Ade A 
5 ni AA en DE ГАР. С tie ЕД 
РАКА И А да O A АЫ ELM d Е pope TE САТЫЛЫ, Te E И T А р КҮЙ Lt EA OS poi ue ор; 
рен ре 
и = je n Е О . M D av^ e: М де А р B - n n а 
мо Mr RAS por E AE MEE кор ni A НИЕ че бы s ane # 
Не УУ AL he Da iuba И „ае - 4.2.55. СО А фи ра А pt ору АД лов аа 4 
ET ET СЪР A > . F [9 У ASA a я 





[DIR IET Te iid E 49 
Мыны. Мне ЛА ТИТ ТАНГЫ ТҰСЫ о По а Бучар ah ete in р рене ae a 








Ж oe tas PS hha’ IE 












~ И КУ 
9 DEREN PM T LOCA 
«об. ~ =. E cue ELT Arte an 
ar ARES a нк rei ai Fa d, ilg ria edi ip picta Se 
RAN AD de A A An ай Ian? ораи СЫ A e a р зет À 
A И E EDO IP po e Dre Mere RE EL киа, Stat аи њи 
CS OPEM: а ату а А да Н en ee ee EN БАТА АУ 559 күт Чаа Р оре И I EEE ESEL EL TEEN 2 но A red 3 А анн A Ye e Нем ја ВИ A > 
ee eR Ы РТР Фуча E Ы Londinii: поља и ко оъ бое ef ali а-о ГЛ ТАЛДА re en ED ы са; іа. № 2 A Hed ot ot 4 pile nager: A тарар; тъ Per Ti pete diced рамата ај ЧЕН 204. 
аи ов ме p MO е қуа сетте қең php pert yet ER EL A A E mae im nl РАНЕНЫ a pts У оро, Аля ы Арсар re ор 7 i nd pepe ре РРА чији 
1 . ne ла . p tm ктүү Уу 6.3 Г; РОМА H " qam cv» ouo t m ль "D ‘ " ы» av Led ие: ~. E > d 
PX мене ‘sous BER av Н m Bec де нәре E А тһ. A Eee w ER bmp ИЕ 
к TT A м sq ee ы "Y* + Ч д J Mia nl Рега P PAS а ur dá ie 
A E дава e D G e a d 
un mM (А Рт у бед забни den Aa 


- 5 . 

prion edo agi т ес 
пи a e тема FAR мы P ha 
= er 
ид РИ re E m 
too arm qe red ee nn LASER дена 


и а] 2 
A EE ы „ылы LL LE tt r4 
5 e a өзек убили е” mE е9 P = 
es IA Ch ads ESTI AA RN жесе ее ~ 
ren ~ ч а ee НИЯ ee О а КА end 
а cop" оС nr o ry dea eres dope dotes: Ка FE ge y od a аа Са ааа ДА аныў у = 2 меры АЈ y 
рг 5 = ^ E 7 а Ыы E - a фе: 4 = } -.... 2 2- " г B 
2? Е pps menge ee и а сечи o PER TEEN Fans АО м Da a NP Bret dn, oet ilt i d ro e ааа er war НА Да. ТУЧ М Nue НИ ЛИ Е 4 тр rt ae 
Ба Қасы фес чето A деца »: Pee TT С ЧЕТ и e А Эф. = A yer ir DO ЕН де o +. 
C LR brit EAN Сены дф И E T TTE T ee EA я Muda Mcr. 24 he Pec ee ae i 
D Ll > "ИК фаза д КЕ а 3 ? 
p РОТОР PI 
Ce МЕ ја мећу ди аи у (ои 






dia ы 
IA па Ва етар вара enh ДЕЧ 
ы оазе ваја reds NEUE ASA A O раје 2 
B = Py ел 2 = - әді E 3 = [IPLE ЈА m кафе. ? 
Балы | hri Дог cael Peine a. god ЗЕ Пд p bie rers O EL Er Dee MAN О Nr А ОА ПАН Muret rrr ms nere ~ M 
^ v МА ен de repu ну ИН ИЩИ en Уа ме M SSR том PEV- Con dert ten Сал име Н > 
На Чем A A E y p npe d dr A I qoid ated sr ML tend .. = : ү 
Holger dr dpi rir ГЕ ДА ЗАД РА astra EE В pa O e СЫ Sa Er pa 
TA RA prd Mr dit а A ев = A A И 
СУТ A Tn A тыран, лдер ee 








LIE НРС her nt e P ч D 
- e "e" CA we mod epo ~ Е РА РЕФ И pem a А 

ом зао ея Re ge EEE EEE ee Ar E HEU Eyed uer POP PEE eid lani] 

ЈА УЉА А NE IO a - Мы ме a € 2 A rM LL ] pipe fatty ЖАН AAA C RS >) а Н 

JA е. > 9 A ce ы. Er фа I Та ера с d Pie ee eet et Po Mere УМ Per} е * Hec ain Anton МТ et te aad 

“ЈУ o N eR ie e e E ЧЫДЫ ИСКА АЕ ый аы ер ачу аг С ЗОО 

Ар A b Паж И А P dun E ын“ ett ыы. A E ERA A ЖУУ ЛИКТИ ТУРЛ ee er es ВНЕ қ 

TE Д eae ht gd gate PA A АС Ее ЗВ i geh hae. grade Зы 

Мос Ч ТТ голу» 









% 6аз4» i did Pao da ASA x PE Пир мл Је 
"ЖАЛ СИ Рат Оги а AA мый 2 y PP lá Vern fi 
mm pp yes Mic а 454 НР d e ER ire PEDIDA 
u “.. ғ һа» а КМГ A SAA ee фе er? M Ads E 
soe unen MD EEE re DE АИ Е e МИЕ SEE REN 
tro. УИС cee oe кы rod dup: s. ә РА иг у zes фит DLE mr: are = 
EIE eet иу и у пр Ноа TE TEE 5 
АЫ ad и = AO каре ро ne prp po veio a ies ipe Li к: FA. a те др йы 
e un. hs 













аа CL i ЕРИ 














әд a Te en” 
y У” m" м у 
Ed et КК ГТ ГЕ ie = 
Са Ы TEL Edd ји СВ 
"rr g M Ы 
Жаралы УСҚ ҒЫ o ge udin 























A ы 
Де 
eng ww Aes НА 
ПРУ Vr „Sen 
кт чыл а IIA o IIA O AS a За H ч 
pe a AA TE Fer Vr ји Те а ар ды c 3 Pre Me lad nep ai DP Pad EAS id A EC 
rn ze е = m. ee een piii rag? "bem: DEPT ^ e on ELTE hs о ТЫ . К e Ct a Phim a > ОЛ A ЛАДЫ РАДЫ A 
Да: ЕЕ Ачит. > E RA ee "WEE RE Pr By eH Rh A nbs уды ДУЗ а а а р Ее orte cele eT Mh Е ВЕНА Мары po irae Aere 4 SET ызғары а а-ы. аниме И ја asi ade pite tcn i 
ТАГ - A IS М f a 7 RT Mr ++ ыа A PLE КЕТЕ . р> erc TP PITT Pet ДАТЫ, VIT CUP А Јања e e» a eee Brig yb г” sac de а с С 
АЗА ыы as ee ee et Lord ds bec er МУ а“ rer i A re рар ее ач es ТО 0 Бау мр en no у RER AE ж ЖЫР A лама ae a. ee CR Жез Ала. МАТ; ТИ е un Ele my 9 
р ee Eee a ee re Е е a age И a ПА ни ИХ A три I кори ДР 
В ; I s^, gh m à a - y nu" — m m 5 ~ 7 an praise | 1 а Б d 
А EIA Че а АА pt er A nn RA Ө ы ААЛУ, A К СУН Е ее 
| Br == дет ера арз A aiii АХА Ы ER ие. Near Су paña “Pane vee 
tap ett НАН ҚССР Mas» Er aai alic e 






ыы es wv m = - 
ir mr dn LM PILLE EM ы Mite a 
e a ыа дА Шылк а ы аз адақ eT ee ТО ара P $ fi 
piee 5-4 чині, > АЕ краси РАСИЗМА РТИ PRI а TREES 
US 
"К К Ld 
[E Pius e” С 
qe УУ ы. 





Zen dan E A 
ОКА sel heh inland 














e ni ls, dl ui 
a > 3 Pro a e ral е мын ds es ral Td |“ 
ч er Б Ж - een f me а tóc Mte eL CP T e en ци YI NB abr d A ТА ЭУ ЕН ДЫ `2: ет Вера М 
ELE vr LES bU 0-8 сн "s. аы уље. Erw JL" n id 5 ev » O БУЫ A RER ИУ > "EST M "E E 
= - P «т = ” дыы Pre " mn SEDE MEM AS Үн ~ y - * 4a de PA PL AR A OS ы „за „(бе ИСА DAL T4» .._ 25 б у 
ша еруу" үнө i A тоа БТЖ < . АЕ Peete РВИ НИ AG и deed Y lt a fod МУ РР ОРИ S Era ПРИ А Да IE ~ с 3 
а РН ola cio асар А Не ба A ТИ о Ия ГА 
А AP T Aerar h A k i ira A ML mas т^ Б-и Бена "IV У, FE изучени өг = ЕЗ ата motor DAS LS ч 00 -. фо ©” з= Fal AA ar LT ҚТА ы үлде E П А m h^ > м САРУ ТУ ји а фар 22 а ER et pero api ae " 
4 я ps a n PL une AES s чәчү es iA T eee S rentrer еа и aT ee ПИР ЧИ, ыы = LE aa atio m do Bo rr WU Н ER, asc eti Гара атол з зай {чө DES 
ES з A тајриаФ po > perdis id O гое р-де рог ара они id A И р A ДД ia д-ны, Piti ора Zara e rd NA 
bed er rape ЕМ are ee ere ER TT Аз Le Da = э» э је nn aud Ln] Te dd AAA ti BG 
O A A dal af AS ыы іс ке УД acier i fe - rg 
Y " з A ar ER wa AA ЫШ ar re раса ... 
паре фа а] Des UI үү Тс e 
y ás oe A Че: ват ја А 


Катар Мао ri k 
aaa e АЈ > x А 
LE SP A 2 » 
E ъ Sn 22 9; E 
. ИТ а PP Е ада СУ wie ПЕКАР зүү КҮРҮ ALME CPR he ze 
5 A ORO М а РОА neal - с T E = 

5 "s woran 4A. de. Е diet ДА gode фиде Eee ae 

‚= SS A ылы 








LE Di А ль m 
Je d а ЛУ У Po et, e Dat ep an ” 
Рећи ауы СЗС РАИ ке 2, gern en EM SF . 
a но 2250. un yet. en SE E дей я = CN AR ES, ee pe ped ме Meri 9 И up de pr UA уча. Pe po y»: м 
Бау а айы. ыы АТТ РК УННН МҮЛ re е а оа ee ee te caia а REN ары fern ET ipee Ма ме risa аре DESC Ri Dr . in МУЗА а 
A A За la aal duoc, Заре СЛ ы e ado p Tr hri Re tim Де Др HR pete ЖАА теле bearer тайды ears и "i aro tige fr 
ч оо api ARA AAA o ds <a ee м оноо ас Ж. раа Си — И Ам E реј A СО оқ A aR Pe ee Ga nen adipi he pP 
. AS A O condi. ане aa a Вет р рено Ча еа a HR ја ir а Чи РФА; 
шару imd er ET ө AAA dil "NUM Соче on rate aA, F JW. 
erede d A or e БА одита ri en qt 27й iren 
> МУРЕ V n wna” и 
PIU PL id > р re ‚йй 


PORT а da er A ай ri м чз ^ 
A ЧЫИ ЫЙ pad Чеч 


т КТК Н ©з». a ља 


nr “~ 


аи a AS ES МЕ 7 
* TAfe w$c- €.» eV. --. 9. 9 ww жү лы СЕТЕ: ње ње» Ре А + > ^^ А ге cim 
z Й чч wu СЕ =" mes 
СТАТЫ ere РИ 
pu ELLE LL DINE АТТ 
d ЈАТ 
en rS 
A E 

= 


pS АКЫШ 


n ctis 

Mage У PT Зи ји err pl за 
P 5, = A A dite La ин 

wein e aue “-. ne т (міні hee 9 






Da e y e 

ь «ә Fall d қаже ee 
c tenter tio ALORS 
ч Ки p - LLLI H за, 

Е К В ас ог ET S | 
Вар о о = ы и A dida ADS EE mew A Wh se Sas. теді >= Ela ln erg A + pesi, erde RER в = з і АЫ cms 
RR I WE ну а МЕЗА АІ, аш дай o par} = ъ. а O A T dh ptr ST EAT SS а 
aro m Бе ES LX NA pedes ЕС? ЧИШУ ысы ARO ч en AS O i-o AAA ү ктү АЕ ол Б Sa Tr te ad У И алыл ы СЫ 
eu» AA ых eye ын ee ee Dnm err от ан Е a re e mr NIS Y ES < Ке ыы ir ИН E a да Pow eee ET 
аа от ть PLI P CP 6 ы sete = we RIO" AS ar рев q. rM m dus A pu ef cv ә ж ~ Er ran ВЕ сече s ver А АРВ "sr ух СР ne и ~ 

g Pe. .. е р" О E E = = C ы =4 - ES Fr Ж > E PT "Wwe wen Cam ET Чылым - Де ^ г З 
тата че dem eis EDO раная pe Tan Л арч" a РАР ныт н ње ы же tube eA nase rl са ЕЛА ...- 7- ww etw Yd Pieri Ф 57; каз weg а руча ро en A od AP ИТ КУНЫ - ум > „ы 
a Mt АР. er C Gm m e A a o rn Ка II o а A A СИЕ ЛАЙ КИ", А ыд уз MA AI SE O, gr ned A A a La A e a A O ЫР, Жы ш - 
ne dg ipt таро ааа Ина Дочо Богота гуа ад А Fe FE ales EcL CRM ds Tal] o Lippe АДИ ае A RT ы Ы ан а роса Fe a Феи A o de a rae Pf RAN zi г: 
Ж 2 Pant Ж e Ne - un 0. un сата a ¢ М * € 1 “ > 9 А к р were e» у " ate un edt аа y Waw ei 4 d o 
ade лы e RE Br el 1 зо е ала чен ч 90. e Sad о а еа Е У A Чү FR ee Co Rearing! а Ея ои я 3 ра е 9 A Инн ЛУ ED 
== e! ра E ы > P f = Ы өто ~! non E y de d Газ» . .. M - и” 1 P n ПРУТ 
: И И А Ысы | o ae et ee ДЕСИ Че Pet АДИ родено oy ee yee HP Данн неу а. «а ЧЕ ВИС Я 
РО У а e oe tl ~ дес АН За аденин ARE дева ДЕ о, a e bas e. вы 50496295 nn ле лая ges PP cid И ¿aja Ја А Жүйелі мүд ры латы E Ena 
a ts A aid о > и Бето НУ КИ ЉОСА И А г ж К ETE E MEO ов ad HET A adr d EC афикси mer evan В: AA Tr - en, © Nas За y A IA Ва 
A ronis d o ы Белі... о P TP Aoc dee c P Loos ЖА ER TL Nera re a FE ee “сы pedo в A a AS een Crepe Ае epe aa e e ac TR da = 2 $ = A АНЕ латын ER mie 
- rie ME E C раде = d Е n Дт b. к ЖҮ ТИК ЛЛ ҮТ ты. Ри тт, = ы TM D .. Len > Way Ме а "rn Пир E — = = pore И ра тата чнч et я ыны oh et ann | а аса ыы. 
б E E у-у: ТЕЛІ a nr дені Бы A РС cs ATA Pod E TO ek A ө л ө DTT E NTA rn. TTE БД. pie A TEL Да Fe pi = ~ 
len Ct lo а @ майы К d " М У " "Къз е EP = = Мы: А МИ и AI <= а - > M z “= ^ e- Ер 
НА ы ае ад А АЗ Е зан И e se АДЫ; A A o CE ақы қыраны pap 7 N “Адар O o ey oro serie rr om EET O te A ae er Sat ca ie oe re то чө бз Жаа ә н er ПС guest аи 
и У ЧИЧА Wir e A жің тан J e mo Ve Ырын v nm "m Let T и is Аа ыы м жы Мала НЫ ААР AA Адамы de Е : i m ғ г“ RE МИКА á КА 24 ая A да 
— tege e ed iurc aid aye Е ee во E TUE у О ec weten nen aeg да Ы озы аа Dn Par i. ЕРУ A e МАН Зеба ај i an А i pee eT УНА ДОДА ји 22 4зе «. өт?” = Ne CE aere РА Re AM pre) ftris Pi уа, Ви ee о «ое © «А Sih ~ ам po Bc I ORE Pe 728 

a, nom ша ЗОО СОРИ Че ьа x йез UJ m Ale er Я hir ы 5 I. p^ la EA m" вм “Ше | ut ИД БИИ, Ж АЫ - 1 e ware te we di A DI RR нам O A ор 0 тон: э E М 
ы Ei Rn et S Зе ALLI A Кане em ei жез m u net RE тен - ө...:м4. ТУГУ ЕЕ Г E r i ds ti С "РЕА SR ee [Eorum vorne n d Des ze LL P aree hdd ge e m "he on фир ефе е ИД ии а. ју РА УУ AJ oss 
ы E хез A аа EN ыа кч ЫЕ БАЗ a BE RET eoe A aa AS TE aa re ~ њене SH 5 У Мы Е ай АЈ ин Д фу д-ды Мы еи" per here es Манеа priae ди ные ur gen Md rs . A x AAA A x da 25 nocet bow ur PA - ои + У 
~ pee к LE ее ы рам Ачы кк < АЛЕ A TI До Ерім ni 3 мр a A ae К е?че =o woi DIL LL ы [е PA А adalat A Copi А RA -~ nn ч e һе” M ере. Т, un ГЫ puer С и - PS РА и Р қ O a ОА = FF | 
ER he Te CHE а mer gehen s de ООН Тм еее бе Е А м, о t Е rhe sam watt A ras QUSE Mc atr a за iet ува pra * ae $4 Ро ломи А AAA SFR; р a A E ee п 7 ел 

5 ижа ^ш E A E ч СИ да. LED ‚- one iR s * - У ПИТИ и : 1 € E рі A 2: 
LES ee er ада SM Цо а РА Дев a ИО ды BM v di rs МИ А Pire: a cee okt ҚАҚСА о ИП ТА С egi Re d hed РУДЕ a Риа, 

A 4 TEE RES ~ - A A AS AS AUNAR NA o nd a q A A ИВА У О A SIE SEE nk ФУ CC С ДВА чар A АРЕСТ; чод е HERE sep WI ua re bee RE TE EEE Sn 
в Е te ie nn rn а AA лын рш Н ны Fre КА е ЕСЕ ee Аре РА МИА О fd з ws ува бај AOS ee Pi А RN AIR И РРА APA A E 
Е ы ре Ача» ШЫ A a эз улу о ДИО СА а; а фет сос е Da c По qes «9 — e» — "ee duet aues Ч po r^ жолы ER ML ИР preda IS ЕИО с-м е р us AS I E o a CI E 
4а ЕР e Al ke En SEIT aL, ч re айрый, PAD B paa Ы С Дама ОДИ Е ЖАҚ е-е re аьа A ee г r ne pre ы“ 4-г4 4 77 po еуин d "LRL MOL ИУ т аа cue "mo PEN end РОР 
P "ww 7h o- д лам ле © “nme ии мит. [^ x3 " О Tr ir. den Eme E С б ME ann Var ы е; ETS О р E d LEE М ” а ы ent o e ана, e К potius Р P. Hg re ar 
2 А m * 4 d АП И E ки t HQ NR LLLI d е ГВ.) тө m e a a moy Ld ЊЕ E "E PARTES mre САДУ de dnd + га. - В E A E me dee == ~ Bag 
DS “әуе A че о ПСЕ РУКУ И са 4 A d ecce vhs s. aT ^I SLT r ee ч = . NI 2 H = = ње ДА re a ~ ee ща D ја PA ST ll tid As at ЬЈ 
ть К Py em ieri» he а ie IPTE OA г ее ак ьа ДЕ СЫ re RE Pe я пи че овкан мо. er eue Sans A А ss. Б у або е p emt » a > pe um d: den aoe 2 nr: Изазива ар Li rl, Sa и € t съ щата SL ДИ даа Pm. mua ab г. 4 a. аео di ste 
ne а a кк Дат. Nerea. y e dL Л а= ы “re: a p E LER а A 4 я la Да ДА Aa „сы Н = E x Lan? zi и Е Е PT a ek ed stots er H в | РОТА ойы. pur 
p nr ten B ы алы ae — D Art я rw nt e o Ay ee E eai pug На ides ise ГАУ e ва о 5-Е ВЕ нд an ET ne: ten A en Te Fort HO БЕ ZI epee peer et Б u A = „р Loos ee ee un C m ee ECT err. cR 

46 с РЬ. і T aie et o Ea PE + н М ZO = ы = ГТ ув у фр дәу =. лг. T > EN СА "TID ТЕУГЕ ¡e emos ds os AS ДЕТ I nd E 4 n геу ра ди » “m > M -. ise 
mE eres Ма Па. ern p e РА pn see a eh ee, hei HL AL Pe 5 ие ја robs МОРГАН MEL Pe дылы X E TCR X М u ned аке sd Е Td oan ЛИ, ы ды dir n. bus Sere t x = 22.4 4 ww 

i ee М = eae ae an ae ara ы б tn "ae ty =a 7 ar Po wetwws « & ee ear ae чи vun П RUINA м I Peg rint МА ҒҒ E d 

в - >. we” ón - Sees DICAS |- u LM m E ~ дена ла Won hum A 4 - Д-у ge 4 
Г uera РУ М Ы . Ye шыты a КЕЕ n е PaL AA ы м... ir A АД E AS Л ТРЕК ҮЛ М 
СА Б P 5 ; ЖЕ PA DA Н ЛАГ TRE ne ea 
.-. - Һа Жолын ^. р LP О б = n A A: а Pi ss ^ 
"T .. ә” n eg en me rate A men ЫЕ 4 о САЊА A A Er Er Te B pom a LI AA A DT MILI ede 
МО Љеш И. о 4. имащ отвара а брата mein m menden a a TI а ЕР УЕ: 
ee д RE AS engen Ра NT АТТАУҒА nn РА ЕР Сект ЩЕ етуді .- ultimate A RTS Елы ten fat 
> A Ra 3 D s. w Сены о ен oii " .o w^ 4e sammo то AA ти а 
3 К een - per RR 3 = и ~ ы ТАГ АРТ, ee ee eo ed а wi RR ear ar Re 
Maris ET e аа or а ет еј ct tes Wie Hh eee O° л с Ру а 2 РЕНА ЧИЗЕ A ЫН ТР е 4 = ee ass 
Pure ar tuat = baste! I ҮҮ» een па Lala - we Я Я Не Ұға ut A A A NL сн A A Бы Қ IS e E INE dii. i Bea? 2 ч 
саат бате с Ы ВЕ а ај ^ м sy P i Cae O L^ М ж. Я = „u A A - N ^s 
К АНЕ У До ЕЗ аз nr Ua Zube een nme an ah, > “тез >»? "NE 5 Areas MAU ee E 0m. ET ом 14 СС АКАТА И m dies eren Lu EM ee aei ae ае зала. о "а ИРУ eet oe dede ој gm ue Rr HITS EE 
AS Jacq Mat. ee e AO А" n ари“ ли n enm UE AC NER MESE ае т^ y | wo v9 S Pam ng РРА gr m p pu NEUE Hr les РРА ы Б ler Неум a ae. Vy om o. em БОА 

а с RE" а O кы nr. ent AD ead rr о АЙ w o : Рад ди Y E И is 2 4 LER кғ-. E O TEE TR LT ЕЧ ч, КЕ мөт dalla USE уі 1 еи ms ¿e ~ (ү Sern И a а 
SUL A d cdi c Его erg of mte SE Rd eg nes ы phe . САМ IN M" На - 20 ae at“ ca Е miete Ж ~ N ur r зен мола бе 
ЊИВА а ee e ged ea Е tn ar НЯ e ЈЕ ЛО СК "Xn pi EO A Н” Е to» whe А Каала ыб T ne as of Sn $ ва Me АА PER UN. pias Ива. ыла. ғылы 4 ПЕЛ АВЫ A a я 

е" тете Бр М a а at) Y met x у А А ПЕД и » > ave TOES m Fryct men © Е и И E "ur "T nun “. 4 %: P dien И = 

"о". = л „ы NS је р . ж - = РЧ: x mpid- = тет, m ome, ИГЕ IL de МР ee = LM ~ Й EI н аць. а ТАГ 
> rs Ld "o "T. s te - a ъъ f = т NUT PE ig ° . а . ~ve TET Л . ам рүн mew S ~ = sonala s РВ У ww pon a LE 4 
re ae Sn ee e ыл res 7. E HEEL a своя ee nr re hic. Ще D Ае РА DEE u Aare ee ар =.. Ала ыы Сы йч Сырық ааа o NE re ЋЕ ee ти ОК а 

- » ер Б АИК 7 posta ore ал „won um © 55 М ЕТ ~ 5 "s = қ “ P o к - et Ш. = 5 
cer о вије Зен bes er es пр O Пи а не О о c C ee Mc ir НЕДА EN та en: ЧИЧА НВ Р ааа A ne dx 
5 м ^ - Р зА a a E AS ner > А Lau zl » аз,» - ТТ ~ # ea я а Ц 4 - у: > > * ee -.7 LI TIT] LP I aad bod - D FE ^ e me ‚= 
" == v^ waa. э, ee I ыы x = n = se de И A a Ұқ . e СОНГ Ги «ЫЫ ` и ~ о Ы s9 erem o 9 nor ad И TL „run. AA ete ee a » » V » Аы ELI г Ы арти А Ld 
s Pr Ar nur зе A a T D КАКОЕ с к ЊЕ Do EET -. > a), ar re oc eee ee N HT Leu „... 2 H pm И x А ма Е PEDEM 
"е e = - cl tr ГҮ, ИТ E - e .. ~ 27 E Сащ - ЫА е M ше 9 Е - 
РЯ ГЕ az Кее = LI = ar xs а да ны od n RR pe Es roe u ER але DEL TL en 2 LI en meee hed .. yd 55 er Sr E "E err Sr er МИТИЧ. „u. aay ts ene @ DE y». з” 
q p^: i О “+, » s - + = . . ve NE 4 А 
LE] ee am вв“ + . "aT Lm Б) А ај чч ае En à s, Pt ма 
А Ми 
-. o» wwe а er cate ES ph LS er Tee 


Lon». 
O - REL = “.. LI f. "о >. Г 
" » Ала ы “> а РА РТ вы EI 4 a - 
= TU o .-. ЕЕЕ Pi > АД”. Was v Cee ee er ht У “ p >: 3 OE НИГЕЗ ¢ е #44- -.> Jaw oc 
Io" ru ES APP ans ом 2s Мын и кв те E М ^ш И» were des e - Pb. a PA e nn А СУ 
Id a Pu e 


pa даље А. аг Ч о. 050050641 
POS MAL as РУДО | ром ы Се 25 А en 

IM Ar Li а — - о - = а: За ee ce V om sies Cap o m em MITT MC s 
y Ii E, P ME ET N ee bro MED er мој ај аа ПА АЈ 
шы A u We hen er Pre Като mom ксн 


а OPE = N ЧА E ] LI 
p e ы RE) .. 
mdi] eos? пе dt rdg AS "PO 
ара 42-4 РР omi 








Du ey ДАМ лал 
1 ms ДЖО 
рч Peer o: AS прост ene 


Ер LES а 
ee TE ^ ARS л, ЖЕ ОЛЫ nn 


ТОТ ИСИ E Dl PIT 
EC aet Си 








2. q A er 











u he et er 24. : 5 ^ А 
рей N mé ТИ И ри A рају 










ye oe de PPP TETTE ыл 22, .. 
POR алтын a PT A eo т E Ld ~ v 
= ТАТА we 






С А АИ, А 

и АЛЫР. e аан 
ee Bp iets м A ay рч Д 
o A ылы ч 6 ee ЕЯ 

и om 
















~ 
a 






РЕ] DIT БЕЈ ПА S 
EM PLU TN ТЕ а 
Роби | PEEL 





E 
..  “ % ИГИ "I "TEES Y ПГТ we eter” fe 
О ATR EY Л See I E E ER ET 2 рая 
one тШ M E . 2. . - EL TE en - 4 pie A УНШ", И A й 
ы " pon. O "RP wm руно ды coa | У 2 pe ^ ^o we t м RUP LS ee 
Поза dae Le e rris COEUR d Pi a | А = TE prt m py e gu э ale Er "T Sag 4 ыы e »o A a НА A us i A О ДОГ died: 
m] E E mE E we » Ам M E 4 ren - ку тыы PELLI ы s = = a P. er Е) PLU d 
> M " гера $ ” de wÁ a <., А Men БАЊА .. ча а 
ПОТЕ РРА СК Nice 2454 > v . а ама ји У Ере фе дын PA ле a PA LAE EAT ФА a. SA ES J 
Re vc e m үе ША = оје= ОВ ССИ ҚАҒЫ DID ende ÓN м қ PROA ARA Ll Se che e .. nn ux 
s Е MES o iO се: he is im EL РЕЧЕ 
окна 6-49 КЕ ане AR A te EA Lets СЕ qe c „>з? ^з A 
MER e e an en Atem ad me. Mt a ma Le OA ВЫ 
А ‚2°, LL ~ онаа аў" Рн rd Deu ee 
A SEM peak so.“ чо ad An » "LL 
анаа" ЖИ АГЫ. И ва = има ы, AA Да 
dung A^- ыд = . UR »s Ke. s-. T 
P -- т a A ne 
> E ETE тен = 4 “...... 


МЕЕ 26%. 4" Ji 
Күү ГЕГУ ТЛ e$ ^v РИ Ж, 
4" » € es «we ~ 






wens ot "rl P LAM 

г nm в оуе таа е 
0 14 ' РРА АС 
PT И АНИ LRL Dod 















*- o9 - све 





АН А АИ 










hd ar ы 
ОК [ag 

id e Н LA EnES owe ИЕ 
БС Value u ЗИ 









"ITI ИС Ды 


Dd 









эз >> ы LAU 
ea 4) За > p АШ, | 


- “ 
wide = "ELI 





В о оба с зе А 
еб X3 An ne A A - ч Ме; қ 
L L EI о "в кь nn ee САЛИ 
P М 


е5 а е Ди ИШ "ИР. Т аъ 
. — L4 had к Ст си: 
- Ат" СУ = 
kr РЧА „nm... mon 2 Laur А 
- оо оо“ =. Eh ka wien Ж fet Ы ~“ . a, фе обн Ге ъф онна оо 4 А 
me te oe . CEO % ВТ в РР DR 


.” - С ` 
ы .- СРИ ТЕЛО ИЕ ЈГ СУ 


- Nu 
ра 





CE е е е = А - 9 - ~ oe « 
EA Сек“ СЛД и Чә» Ж за а “ s ра У | J " 
E os Ye СИА И e ра Ма üde ae paz “~ ES ~ АСЯ > = E an тү = „ч С = #. «че li ad г 5% Б > 
van e 


Lalo dile. me DLE 
4 v = 3 р _ 
М owe | «-— "im E Mou i rt e . ~ P e С Р ИНИ .. С аде ln м-въве » 
x " 


HI BP АА > uhr ~ 
г T УГ ^ [7 | 
Е > А 5 E ~ г 
. . . ~ ноу войт аф оча на а ке фар А „> Е AS CA У РЕ] = = Зай сад 
2 ny М 


аЛ M tror do o o ror не >» = ~ ~ on „ 
2 n ron ne - -” Гена ^" hu s sm m om ”"" pee 
СПАСИЛА СИ воен и *« "^ Pr з ЖБ -. га he e Wee ud А, E Зи Н AS 6 "w 


==. a . "p^ 
LÀ aa -. .. rer . ... AN 
=--6- е 59° НУЛУ ГА E .. DEI „ эм a qoae (wma = mi э 
P v Rf one из 79% 2 22» өте» . = ... . 4. ." P muto m p Mm er rn E "-— Ды a те | зә Ры ЖОЛЫН 


Си tre . 
- .. 4 мое мен племе 2 .. ~“ 
~ а пан LI © ч „ейел „фаг ч” Lal E - 
СС И СИРИГ И M £ uvm eer Ф” Hine E ы Se № о въ в е mom “ ot | .. "Ж aq e ti р e 
on ә Wer x Van ы "acr .» = PA оэ=з=е\з%* Җа» эў О И PLC ~ ET XX » * = бире үч У ER ВЕ E * 
E т. < “ -..”.. "n E ы: " o С 
ad u. «е Печатно а RER s A ЕАУ И & iene я м» әз єч Tm A v T 4 ДР ыды 3 “4. ~ “Yass = өз = ve 
m "n „ө . ^ т 
. E . - ma wa Е = ы i AS СА) LIE NEM = i as е 0 - г P ` > „ ЕЈ Ы 
Lu x A AA шө уй t Е р = » ~-• = 1,5-5 ком HEU МЕГЕ ME ur Hom »mo ета чаа 62“, IR AS а d А ША ЫБ Sr pee VES Ta P Зыр 
ы a a - mee “= + ТЕЧЕ PEL а da" по АНЕ. ПЕЕ РР MEZ к А a ыр А se -. ч- УТО ат Чао АРА АЙЫНЫН 
DSL e’ 4 МА R ug rel С CAL Zu „ДШ m. O + n О . we TI qn do A СИ БУРЕ u 72, M E - 5 
СИ С г И ЕТ ы  »h "e... ms. б КАРИ ОЧИТЕ ER a Be ДЕ : LL ” e Р 
# = ~ E P ЕВА а одев СО В А tos er. <= 4, и: Алы ИЕ "^ .. ee я, D 
А d КА an ЫЙ ERST Tha LECT .o. o». boss LI iiid e. yu ur. e 
B 


А а а -...% - е 
а л ым > Mao e . ... 


2 .Г ” 


А . А LI м^» ғ 
- PLI « là 
"XE" "TET ИИИНИН de ET ми “> e en S ..-...-... ae 
БРЕ B ы 
ы s ы Ж ое ew» ww .. LI т 


Ы) . ww 
Work y АРТЫ E =~ wer 
= z = NE мо u zu 


. И У M I қасам . wot › УП --. » e 
ahh PIS "ED б Ы L4 ”- С 173 
[Г m .. o. - - ка or.“ б P 

„кз. LLL Mens os E 


= ES ь ~ е Se СА 
E А po we < ae 


o - 
ADO AO A CI se ть о» m ETC 
LIN -~n wow „т m. nr a io весе “.- E r x .. - o 
ы . LA = bd LJ . . Е = 
Mia ја Br he Pj ms. 0 wow? sn , JE 000° er о ыс, ea 5 us ier s 
Б = a Sa У PA ЖАЙЫ” СЫ) Сы ВО АЕ .... _ і ә» ‚чм a « = E - >. 
mM EL MELLE P or ee were 2 .- "I PL 1 
"TT . “ - ^ or gk 7... 
к УА 2 $ EON Tm аса” ы] о: cm a ieee Sun ES 
^ ~ а ШЫ a = + = 5 Pod” e da . т LIE “. 
. ~“ ° "i P РЧ . [3 ah ELI TES e 
23 mo A ~ D = . Y [E > ГЕЈ Ы 
e my» - ы е 2 i „ө . О LIE LIS > - Ls nd 
А И .. -e ^ 0» m". ` m du en mo • л E E х eK г ыты zn e ы 
5 . s и у 
= CM а А1” . с. д = Wes ... СМ ... г u... > E "T" ве . че г“ . ” » LI ИИ. На ; Е 
“eee RS yee ee MES атка а = OE RM. peau ir а у A за 
mo. ө өе е Siri e N B PC Hs e „Шел: Ы Li s% p » so T за uye E PL ` . ж эм E PIED б e eae ь 
. Pr wor Fa - . А . gr 9% % "» =. те * m nu. РА - > P ims we os 00 9» m " * .. ~ 
... - = m А m" | « ГИ а E ~ МА Ы Aare a 
M 2 А P + Pe ro e E u. > a жж ЈЕ s = 
6 = У .. { 
М E E 
E 3 i 


CUE PI 
. 2. D 





La eo Y AN 


- LJ E 
e A 
- ~ - 
СЕ“ ` a oow 


Lad LJ LS 1 “ = * - = 
E = А = D . E ВР 
ә ө . . e... Pr x - . a бе ve .. . „ m 
> ... за М о ^^ 4 ЕЛИС ~ б СР " = - 
. м4 Hr к a Й НЕ Dei ne | > P a = 
> L4 ° „> ИЛИ Lon „ « Fe owen А] 
"ULTIMI wu. nt sam te » тт 
О PI PI - "пее Р v ru РА С 
Е ОЈ e 
б E а, э А . > .... = 
Lid ыы eee ae = ” - a L3 .. .. E Ы ay = 
a ГА m P E в - т ы „ә э 0 ы 
М 


DUDLEY KNOY ' mm EY 
NAVAL POSTO: > = 1 SCHOOL 
MONTEREY C^ 33943-5101 














Е Е | 
| n 
m o SEM | Е 
Е 7 
еу 


m 
mE m 


age or a > AUR | всу Мбит 


er 


ЖС 5 o. ho 


у u^ 
A EN , m 
| 
| > 
` A, 
N къ 
LY 








UNCLASSIFIED 


Technical 
Report 


distributed by 


a Defense Technical Information Center 
one — AGENC Y 


DEPAR МЕТ пени 
UNCLASSIFIED 


NOTICE 


We are pleased to supply this document in response to your request. 


The acquisition of technical reports, notes, memorandums, etc., is an active, 
ongoing program at the Defense Technical Information Center (DTIC) that 
depends, in part, on the efforts and interests of users and contributors. 


Therefore, if you know of the existence of any significant reports, etc., that 
are not in the DTIC collection, we would appreciate receiving copies or infor- 
mation related to their sources and availability. 


The appropriate regulations are Department of Defense Directive 3200.12, 
DoD Scientific and Technical Information Program; Department of Defense 
Directive 5200.20, Distribution Statements on Technical Documents 
(amended by Secretary of Defense Memorandum, 18 Oct 1983, subject: 
Control of Unclassified Technology with Military Application); Military 
Standard (MIL-STD) 847-B, Format Requirements for Scientific and 
Technical Reports Prepared by or for the Department of Defense; Depart- 
ment of Defense 5200.1R, Information Security Program Regulation. 


Our Acquisition Section, DTIC-DDAB, will assist in resolving any questions 
you may have. Telephone numbers of that office are: (202)274-6847, 
274-6874 or Autovon 284-6847, 284-6874. 


FEBRUARY 1984 


ft U.S. GPO: 1964—461-169/24007 


a m raten 


4 
4 
} 
4 
4 
i 
| * 
—: 
К 
‘ -— > 
1 Daum rn ----- = 
| { 
| Fe 
! ; м сч t = 
| | | cH Ss oH cM ol © ч 
| в кі Са ЗИ — 0 25 rg 
| ЕШІ БЕЗ == Iul >= 
| SERE 4 
А 23 * = o 
| Заза | T 
A EE ә 
| о)! "hon ВЕ 
= = Se T 
[| 098 | | е 8 
a шг---; x S 3 
: En mmn Am Us Hut u = 
| 4 
e X a 
a я да 
t - - E nl 





4 не-е - "OP" ES = 5 и A г re t > „ SZ LN a, fF У, г.” 

- № СЕ 7, w • E ш [n е к”, |. ASS М y ~ 4% ut 
-. +47 • uu" ағ Ww 13 " "t " • 3 ге 
| ж, с 2d | Ж win 1 д) y г, es за У 


аса Жа.) 











e CN € Co ишта ои өте 


u A en 


-= v?” 


=“ P ш“ q 


э „ W^ m ^ woo wr тя“: = 927 =“. Fw” -- 


-. > 


но re 


теат AE Ре mune ~ Fe. Fe CGwTe wt # 
L1 


, 


ъ“ 
« 
... 


3 


є... 





DESIGN OF A SECURE LOCAL NETWORK 


THESIS 


Cuadros 


Ricardo G. 
Captain 


AFIT/GCS/LE/83D-6 





USAF 


er 


1. 


DTIC | 


am а. 





& 


Ш 
re 
O 
Ш 
= 
Ш 


@ FEB 221984 





т." 


АО 


— 


— 


Пи 
ЛЕКА 





distribution unlimited 


ease; 


84 02 17 087 


Approved for public re. 


лао) 3115 910 


C „“ 
ЧАК 


sf 


“ ите е" Y u, ?  - € 
ah ER 
ж "atat rta A 





ee ee rt Bert ne mur ur I. ELM es wA 5. 97,70 > 7 "е а ^C. "^*^ в .. ¿AAN 2е “3 


AFIT/GCS/EE/83D-6 


DESIGN OF A SECURE LOCAL NETWORK 


THESIS 


Presented to the Faculty of the School of Engineering 


of the Air Force Institute of Technologv 





Air University 





Led > О 


in Partial Fulfillment of the 


Requirements for the Degree of 


Master of Science 


| | Accession For 

NTIS GRA&I зк 

ро Е M 

by Unannr'inred = 

слое № 
Ricardo Cuadros, В. 5., М. В. А. (777777777 
( Бу en 
Captain USAF Distribution/ ^. 
S Avnilabili'v Cogs 


Graduate Computer Technology ~ JAvuil and/or 
NT Dist Special 


B December 1983 | 
E Al 


Approved for public release; distribution unlimitec 


EV | 2, 


v. 


74747429) с 
гари, 
A tt 


и. 


— 2 > — е. о 


3 
ADU. 


чанти. => 





B 


- 


^» 
БА 
oe 
4... 





че 


“+ 








рег г] à 
Du vu a ads 5 > 


^ 
de 


"a 


EE 


4 
. в 
ғ 


оте 


we Ss’ 
1...” 
ША «да. + 


У. Уа "а". TN AE, 


Ir", 
Pe 


зо ^o .,.» 

„е. 
| ју = t 
е? „Ра? а 


r 


T 
4 


р. 
LL 


» 


E 


А 
> ви ага и аа“, 
АНАЛА А 


+ 


А 
2 


(6/22/63 


‚о 

e а 
... 

у © 


I IISTI goy 


А 


AA 4о Сатир ча За u TE TI TI EU OH <=; nn + т>, -% ER кт ~ е, ~ a, . y е nus = “ иа ~“ a? ix Де ~ ^ X т Ее Ви - e ES A "AV en 


DUDLEY KNOX LIBRARY 
NAVAL POSTGRADUATE SCHOOL 
MONTEREY CA 93943-5101 


Acknowledgements 


This thesis could not have been completed without 
the support and help of many individuals. Family, friends, 
and mentors, to those that gave me unwavering support 
and helped me, thank you. 

Katherine Anne, my wife, deserves special mention, 
credit, and thanks for her loving forbearance and unflag- 
ging support. For their unwavering support, my parents, 
Miguel Angel and Rosa Ana, have my deepest thanks. 

Among the others to whom I owe a debt of gratitude 
and must be mentioned are Timothy Mayberry, a friend 
who served as a backboard on whom I bounced ideas wren 
I was stumped; Mrs. Linda Stoddard, AFIT/EN Research 
Librarian, who successfully tracked down copies of some 


key sources for me; and Major Walter D. Seward (PhD), 


.my advisor, who was always optimistic about my chances 


of completing the program and was always willing to 
spend time helpirg me. 

Additionally, aid from two groups of mentors and 
friends also helped make this thesis possible. While 


I was attending AFIT, Dr. Lee (Chairman, AFIT/MA), 


о 
~ 


Potoczny, and Lt. Col. Bexfield (PhD) wer- invalu- 


1: 


Ф 
е ч = E 
. a -* e 
A 4 б ! 2 oe ET | 


» r 
e ШЕ э” а 5 » > 
е” e 2 e r ." = ~ 
2 A S r e r а 
m о „ . “ 5 55 ғ » 





zn nn Tat e A E ат тг, Г. > en wa v; ea тс v, Te eL > is aie .. qm 4 = qe wie era em) rd т” en а a ады ШЕ. к 


able in helping me overcome technical problems and in 
keeping AFIT-life in perspective. Then, while I was 
Struggling to complete the thesis in Texas during 1983, 
four people who were instrumental in motivating ne were 
Major Jim Sweeder (PhD), Dr. Al Roecks, Dr. John Romo, 
and Mr. Wilbur Hoelscher (MS). 


To all of those who helped me, a sincere thank you. 





а 
,“. 
4. 
” - . => 
а ы т 
x r ato > - = 
Ае РА i = А 2 а аб. 22. 242 = = ” Ner a” “/ шие ВЕ 2 
is 4 Ñ 52 4” ты” - Les 477---. +-- +- : PO di 3 a 
D. - » - a ~ = 5 . e = = тыс 2 = - = Pa ap E ” m ~ lates 5 
E. N 7 “7 d = E 7 “а. “е е. 4 --- м, - Ё mo - o 
ze e je дей DA E PL ZUM =. 7 e. “mo” „е ғ. ха Е 





PES TA ee et SO a G a уе UT елке Уи: 


воть о. 


Preface 


The purpose of this study was to design a multi- 
level secure local network for the U.S. Air Force's 
Electronic Security Command at Kelly Air Force Base, 
Texas. The resultíng design was modeled viti all 
traffic encrypted for secure point-to-point communica- 
tions implementing a packet-switching store-and-forward 
scheme over a dual loop ring topology using frequency 
division multiplexed fiber optics. To enalytícally 
validate the design, Jackson's Theorem was applied to 

< a simplified version of the model. The results were 
encouraging. To further evaluate the model, a simulation 
of the streamlined model was attempted on a microcomputer 
with 64K RAM. The language used for the simulation 
was PASCAL. Even though it appears to be feasible to 
validate a network model on a microcomputer, it was 


determined that this approach needs further research. 
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bits in a message as detected by a cyclic 
redundancy checksum (CRC) 


encryption: a method useful for protection of data 
that must be transmitted over media that 
cannot be protected against unauthorizeċč 
monitoring; two types of encryption: a) link: 
implies encryption and decryption by each 
network processor, is used for data flowing 
over a specific physical path (link); b) end- 
to-end: the message is enciphered once at the 
source and deciphered only at the final 
destination (LAN 83: 87) 


fault: a condition that arises when a link is 
inoperable or a node fails 
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4 fault tolerant: a fault in one component does not 

E bring the system to a halt; thrcugh redundancy in 


critical components and/or through the isolation 
of a fault to limiting the loss of service to a 
small fraction of the whole, a fault tolerant 
system displays "graceful degradation" 


flexibility: that characteristic which permits 
growth and extension in functional 
capabilities, in number of nodes, and in 
geographic coverage 


host: the computer system connected to an IMP or node 
IMP: interface message processor; the basic 
communication component in a node, a 


communication support computer 


interoperability: that characteristic which is the 
ability to communicate across different networks 





b са intruder: an unauthorized agent or entity 
© multi-level secure network: for this thesis, a 
ў, network which supports concurrent/simultaneous 
p. transmission of different security 
a levels/categories; a multi-level secure network 
4 does not imply that the operating systems of 
JA hosts attached to its nodes are multi-level 
ТС secure, each node's hosts may be operated at 
» dedicated, system high, compartmented, and/or 
Р; multiple secure levels 
i ща 
ы multiplexing: the process of achieving simultaneous 
D transmissions of distinct signals over one 
X channel of communication; there are two basic 
43 techniques: (1) frequency division and 2) time 
a division (THO 71: 11-14) 
a 
- node: ап 1МР апа the equipment/machines connected 


+ 
" 

у^ to it; for this thesis, only one host is 
` associdted with each node 
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packet: a data transfer unit which is exchanged 
between nodes, one or more units make up a 
complete message; for this thesis, each packet 
will have a fixed length of 102,400 (100K) bits, 
this length includes holding up to 100,000 bits 
of data plus 2,400 bits of header and trailer 
information 

point-to-point: also known as "Store-and-forward", 
this is a communication technique whereby a 
message or packet is sent from one IMP to its 
destination IMP; when the source and 
destination IMPs are not directly adjacent or 
connected to one another, the transmission is 
via one or more intermedia.e IMPs, at each 
intermediate IMP the message is received in its 
entirety and temporarily stored there until it 
сап be transmitted "forward" towards its final 
destination 


protocol: the rules and conventions used to control 
network functions; logical abstractions of the 
physical process of communication; protocols 
perform three tasks: a) establish standard data 
elements, b) establish conventions, c) establish 
standard communications paths (MCQ 78: 1); refer 
to Figure Il-2 for the seven layer 150 reference 
model 


reliability: a) that characteristic which refers to 
the freedom from loss of service due to random 
failures in the equipment or facilities 
(STO 80: 1472-1473), often referred to as 
"availability"; b) freedom from random 
transmission errors 


security reference monitor: a set of trusted 
hardware and software that establishcs and 
enforces network security access controls to 
include all discretionary and non-discretionary 
policies and provide complete mediation 


SEN: secure local network 
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survivability: that characteristic which is the 
ability to survive enemy actions; to Stover, 
the three aspects of monitorability, self- 
diagnosis, and maintainability are related to 
survivability (STO BO: 1241-1242) 


Switching methods: techniques used to affect how 
different users share the transmission medium 
(refer to Table 11-3) 


TCP/IP: Transmission Control Protocol/Internetvork 
Protocol; developed on the ARPANET, the а 
protocol set adopted by the USAF as standard 
for all networks; refer to DOD 82, USAF 82, 
and USAF 83 sources for more information 


topology: the physical layout of a network; there 
are two levels: 1) backbone = the inter- 
connection of IMPs; 2) local access = the 
interconnection of hosts, terminals, and 
peripherals to a specific IMP 


trusted: a component comprised of hardware and/or 
software that can be relied on to enforce the 
relevant security policy; a " ‘trusted 
computing base’ is ... the totality of 
protecting mechanisms within a ... system 
ees the combination of which are responsible 
for enforcing a security policy." (LAN 83: 68); 
a trusted component is correct (i.e., it 
operates according to its specifications) and 
incorruptible (i.e., it cannot be modified by 
an intruder) (NES 83: 1059) 
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This research sponsored by the USAF's HQ ESC/AD 
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develops a multilevel secure host-to-host computer 

en area network. The design process is presented. 
The resulting network uses a ring topology with 
packetized point-to-point switching over fiber optics 
communication links. For transmission security, 
packets are source host-to-destination host encrypted 
as well as encapsulated with link-to-link encryption. 
Message transmission is controlled with message 
acanowledgements and credits within a non-preemptive 
three priority class queve. A simplified version of 
the resulting network was validated by applying 
Jackson's Theorem. Additionally, the simplified view 
was modeled with a PASCAL simulation program executed 
on a 64K microcomputer. Unfortunately, the comparison 
of the simulation against the analytical results that 
were obtained using Jackson's Theorem was not possible 
due to problems modeling the network on the micro- 
computer. Follow-on work in the area of simulation is 
needed to successfully complete the simulation and 
compare results. 
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Chapter 1: Introduction 


Overview. 5 


General Requirements. This thesis was sponsored by 


the-U.S. Air Force's Electronic Security Command at 
Kelly A.F.B., Texas (HQ ESC/AD Bldg 2000 San Antonio, TX 
78243). Іс develops a multi-level secure host-to-host 
local computer network model. Mr. Hoelscher (Chief, 
Executive System Software Branch and Technical Advisor, 
Directorate of Systems Technology) served as the point 
of contact at HQ ESC/AD. Не provided the constraints 
and requirements which influenced the network's design 
(HOE 82; HOE 83). 

There were two major ESC requirements that had to 
be met for a successful design. The first one was that 
the network had to efficiently process traffic that 
would be primarily bulk in nature. 

The second major requirement was the most important 
and restrictive; the network had to be secure and 
provide concurrent multi-level security. The security 
aspects were pervasive because the network was required 
to receive, transmit, and process classified and 


compartmentalized information that, if compromised, 
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could damage national security. 





Additionally, the resulting model had to be . 








verified. A simplified version of the model was 





analytically evaluated by applying Jackson's Theorem. 








Additionally, a limited simulation written in PASCAL was 








attempted on the streamlined model. The simulation wa: 


executed оп a 64K microcomputer. Unfortunately, this 





part of the verification was not completed to form a 








part of the model's analysis. 


These issues were refined during the development of 








the thesis. But the domínant requírement throughout the 








2 design process was Security. 








Multi-level security requirements and the 
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protocols and architecture required to support them 








are areas that have received increased interest as 














illustrated by the bibliography of this thesis. The d - 











many favorable characteristics of computer networks have 





been well documented by authors such as Booth, the 





Dennings, Donaldson, Kent, Kline, Kuo, Popek, Stelte, 








Tanenbaum, Tropper, and Weitzman. However, primarily 








due to a fear of compromise, the military has not taken 





full advantage of computer networks (STI 80: 1472). 
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Recently, with the advent of applications such as 
electronic fund transfers, security problems have been 
receiving greater scrutiny by the business and academic 
communities (KEN 76: 8; KON 81: 761; KUO 81: xi; TAN 
B 1b: 480). Many experts feel that even with safeguards 
such as access controls, flow controls, data encryption, 
and inference controls, "absolute" security is 
impossible (DEN 79: 227-228, 246; POP 79: 355). But 
what degree of security is attainable? 

Organization. Prior to performing any analysis 
which would lead to a model for a secure nctwork, an 


approach was required. A series of principles were 


reviewed and those deemed appropriate were adopted. 


‘These principles formed the foundation of the 


methodology that was adopted to develop the network. 
This methodology is covered in Chapter I. 

The next chapter is a discussion of some of the 
major constraints and requirements that apply to the 
model, those of security. The final section of the 
second chapter presents several safeguards and 
assumptions on the model's security and its environment. 


The third chapter discusses how and why this 
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particular model was developed. It describes in detail 
the design process. The decisions made concerning 
topology, network control, and protccols are presented 
here with the ever present infiuence of security. 
Whenever possible, vhile examining the model's various 
features, comparisons are made among the advantages and 
disadvantages of other network designs. 

In the fourth chapter, the analysis and verification 
are discussed. The simplifying assumptions and the 
results of applying Jackson's Theorem are analyzed. 


The final chapter presents conclusions, 


ey 


recommendations, and further areas of study generated by 


this thesis. 


Methodology 


Background. The methodology adopted for this study 
rests on two distinct but related sets of principles. 
The overriding set of principles are security related. 
However, the network could not be developed strictly 
with security in view if it was to perform any useful 
applications with any reasonable degree of efficiency. 


Therefore, the overall approach was to develop a network 
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with the additional principles of simplicity, and. 
reliability. The goal was a network which was as simple 
as possible (to ease implementation, review, 
maintenance, and future growth) and as available (fault 
tolerant, with long mean-time-between-failures, and with 
short time-to-repair) as possible while not over 
complicating the design aspects which would make it 
impossible to provide adequate security. 

The principles followed to analyze, develop, 
and maintain security were adapted from Dr. Stephen B. 
Kent's "Protocols and Techniques for Data 
Communication Networks". Kent delineates eight 
specific principles of design. 

Kent's Principles. Kent's first principle is 
probably the most important. The design should be 
simple. A simple design simplifies the tasks of 
implementation, verification, and maintenance. 

The next two principles, that of fail-safe 
defaults and of complete mediation, are constraints 
that help attain a secure systen. These principles 
are directed not at exclusion (or "why not" permit 


access) but at "why" should access by allowed. This 
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positive approach constrains the set of who may 

access the system and its resources in a manner 

which permits greater restriction and hence less 

chance of an intruder penetrating through oversight. 
Thus, access will only be permitted if specifically, 
instead of tacitly, granted. The default will be to 
deny access. In this manner, the person seeking access 
must go through some human (security officer) control 
ME. 2. the system getting his "name" in the system's 
access roster. Therefore, all users are required to 


comply with non-discretionary (mandatory) security rules 


which serve as an overall barrier to the intruder. But 


"discretionary control should also be provided. This 


control can be specified at the option of the user who 
can further constrain what he does for a particular 
application, session, and/or transaction (AME 83а: 15). 
With users conscientiously applying discretionary 
security rules, unnecessary security rísks are avoided. 

The fourth principle is not widely accepted by 
the military. It is the principle of open design. 

" 


The argument against an open design is that “a 


secret design may have the additional advantage of 
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significantly raising the price of penetration, 


especially the risk of detection". But Kent argues 








that an open design is easier to review since there 
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is no need to hide safeguards which should remain 
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secret in a closed design (KEN Blb: 372). However, in 








light of the sensitivity of national security 


requirements, a closed design should be followed. 





Separation of privilege and of least privilege 
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are the fifth and sixth principles. These 


А 


Principles help limit damage from penetration. They 
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enforce least access, ensure "need-to-know", and add 





the safeguard of multiple keys for access to any 3 
given level. Any security violation should have a 
limited scope of potential compromise/damage. Not 


only should there be separate access rosters for 





different security classifications, but each 


security classification should be compartmentalized 





to deny complete access to that level in case of 


penetration. This compartmentalization is created 
through separate rosters, passwords, and even 
hardware safeguards which will act as bulwarks and will 


“+ not allow complete access to a level when one section 
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has been penetrated. This need to limit damage is 
further emphasized in the seventh principle. | 

The seventh principle is that of least commen 
mechanism. By keeping to the very minimum 
mechanisms which are in common throughout the 
System, penetration can be more readily localized 
and subversion of the entire system is less likely 
to occur. This entails the use of separate rosters 
and different passwords for each system resource, as 
well as the use of other physical, software, hardware, 
and human safeguards to secure components of the system 
from a potential intrusion (the use of discretionary 
controls helps accomplish this endeavor). Thus rosters 
cannot be accessed by the same password and different 
passwords and security profiles are required for 
different resources located in separate physical 
locations (like vaults) to which access is restricted to 
different sets of users. 

Because of these principles, different 
authorizations or permissions are required to access 


different components and compartments. By requiring an 


audit trail that tracks location of user, password(s), 
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location of resource(s) required, and time of 
system/resource call and release, a system can be. | 
implemented with multipie crosschecks which will reveal 
where a penetration has occurred, what has been subject 
to compromise, and the extent of the compromise. 
Knowing what has been compromised is a major goal in a 
security conscious environment. 

Finally, the last principle is that of 

psychological acceptability. User friendliness is a 
concept often coverlocked. But a safeguard which can 
not be easily and routinely used is often ignored. 
What is the use of passwords if the user has them 
written on a piece of paper in his wallet because 
they are so many and so long? This results in the 
elimination of a barrier for a potential intruder. 
Whenever and wherever possible, the safeguards and 
countermeasures should be automatic and should use 
only trusted system components. 

The Approach. The approach taken to apply this 
met! rdology was to first read about networks and 


then analyze network designs in light of Kent's 


principles. The works of Clark, Kuo, McQuillan, 
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Tanenbaum, Thurber and Trcpper were the most anplicahle 
during the initial stages of this study. Acceptable 
designs werc earmarked for further comparison during 
which additional constraints caused by the environment 
Vide applied. Once the choices were narrowed to a few 
general options, a comparison of their respective 
advantages and disadvantages was made using tables 
derived from the previously mentioned sources (as well 
as from the works of Ayrawala, Bux, Habara, Homayoun, 
Ikeda, Penney, Popek, Kent, Stíllman, Stover, and Wolf) 
which summarized these characteristics. From these 
tables a choice of topology, network access controls, 
and protocols was made bearing in mind the need for 
Simplicity and reliability. 

The chosen options (discussed in Chapter III) were 
t;en combined into a design which could meet the desired 
characteristics for the secure network. It was then 
necessary to validate this design. To do so, Jackson's 
Theorem was applied to a simplified version of the model 
as a check. Then an attempt was made to perform a 
PASCAL simulation on a 64K RAM microcomputer of the 


streamlined model. This was done to achieve greater 
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confidence in the resulte end, also, to investigate how 


a network validation could be performed on a | 
microcomputer. This, unfortunately, was not completed 
as part of this thesis. The choice of machine and the 
choice of language caused problems which were not 
resolved by the conpletion of this research. Thus, 
verification of the model was by way of Jackson's 
Theorem and only for a simplified version of it. 
Before an analysis was feasible, a design was 
required. But what must the network to be designed 


safeguard against? An overview of security requirements 


is presented in the next chapter. 
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Chapter II: Security 


An Overview. : 


Security Requiremente: 





The Environment. The environment in which a 
network must operate constrains the topological 
options available for implementation. Additional 
restrictions occur when the network must be a secure 
local network (SLN). 

According to Coviello and Lebow, "the essential 
distinctions" between military and non-military 
applications "can be summed up with the single 
catch-phrase 'survivability'" (COV 80: 1441). The 
military environment can range from peacetime to 
nuclear warfare. But many systems need not 
safeguard against all the conditions of the entire 
range of possibilities nor may they be able to do so. 
For example, this thesis's particular SLN is not 
expected to withstand overt physical attack. But 
survivability is possible only for a specific set of 
threats (COV 80: 1441), so what are the set of threats 
to be met by this thesis's SLN? 

Safeguards, Threats, and SLN Characteristics. Тһе 


spectrum of safeguards and related threats which any SLN 
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should be able to survive are covered, ашопр others, by 
Kent, Popek, and Stillman. The cited work of these 
authors does not cover the threat of war. Since the 

SLN developed for this thesis is not expected to survive 
in wartime, the safeguards and threats presented by them 
apply to the model. Unfortunately, not one of them 
gives a definite way of implementing any of these 
safeguards. 

In pages 778-779 of his article "Security 
Requirements and Protocols for a Broadcast Scenario", 
Kent lists five major security requirements to counter 
potential threats. The first requirement is the need to 
prevent unauthorized release of message text. Then 
there is the need to prevent (or disrupt) traffic 
analysis by potential intruders. Wiretapping is one way 
that intruders can attempt to get the information they 
should be denied. Therefore, the need to safeguard 
against both active and passive wiretapping is critical. 
(Passive wiretapping is merely the listening of traffic 
without attempting to modify the transmission Strean. 
Active wiretapping includes the insertion and/or 


deletion of traffic to modify the transmission stream.) 
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Kent also presents the need to verify message 
authentícity, integrity, and ordering as the fourth 
requirement. It is closely related to the need to 
prevent message stream modification, message deletion, 
sae spurious or intentional message insertion (the fifth 
requirement). 

Popek and Kline present many of the sane 
requirements (POP 79: 332-334). They also mention 
the need to safeguard against the tapping of lines 
and the introduction of spuríous messages. 
Additionally, they mention that safeguards are 
needed to prevent retransmission of a previously 
transmitted and acknowledged valid message and to 
detect and/or prevent disruption (or blockage) by 
malicious (intruder/interloper) acts or system 
failure(s). 

The military's view of the threats is presented 
by Stillman and Defiore (STI 80: 1472-1473) who are 
technical advisors to the Air Force (USAF/SI). They 
reiterate the need to prevent unauthorized access to 
classified information, the need to assure 


information integrity, and the need to counter 
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wiretapping and analysis of traffic flow. Also they 
expand upon the need to guard against unauthorized 
access to physical facilities and communication 
links and against subversion by unauthorized users 
ne users not in their authorized "area". 
Furthermore, they present the need to protect the 
svailability of resources for authorized use іп 
three operational environments: routine, high 
traffic stress, and degraded operations which 
includes protection of authorized users from each 
other. 

Stover presents safeguards and threats in a 
different way by defining six characteristics that 
any military SLN should have (STO 80: 1241-1242). These 
characteristics are desireable and pertinent to this 
SLN, too. They were used in helping reject options in 
Chapter 111. 

The first characteristic is that of survivability 
which Stover defines as the ability of the digital 
communications function to survive enemy actions. Stover 
presents the three related aspects of survivability: 


monitorability, self-diagnosis, and maintainability. To 
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Stover, monitorability, self-diagnosis, and 
maintainability mean that the network must be tolerant 
of failures; that failures must be detected, isolated, 
temporarily accommodated by operational procedures 
e shouid be automatic whenever possible); and that 
failures must be repairable. 

The second characteristic, relíability, refers 
to the freedom from loss of service due to random 
failures іп the equipment or facilities, i.e. network 
operation ideally should not depend on the continued 
operation of any particular node or transmission 
link. A reliable system is dependable. 

The next two characterístics, accuracy and 
stability, are related. Accuracy ard stability 
refer to timing (message synchronization) and 
timing contributes to error detection and 
identification as well as to reliability. The key 
concept here is that the ser.ding and receiving nodes 
agree when to send and expect messages and how these 
messages are being relayed. For example, if a 
message is expected and none is received in some 


given amount of time (a tolerance factor), then it 
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is safe to assume that some error has occurred. At 
this time, some error handling protocol gains 
control of the processing. As the percentage of 
errors that occur and are not detected decreases, 
the system reliability increases. 

ие, is that characteristic which 
permits growth and extension in functional 
capabilities, in number of nodes, and/or geography. 
By their nature, networks tend to have the 
flexibility of incremental growth (BOO 81: 6-31; KUO 
81: ix-xi; TAN Bla: 3-5). 

The last characteristic is that of 
interoperability. Interfaces with other digital 
communication systems should be facilitated by 
having a timing which assures that the buffers will 
not have to be reset more frequently than at some 
acceptable rate. 

Another aspect of interoperability is the 
ability to communicate across different networks. 
Connectively between networks is usually made over nodes 
that are called gateways. (Gateways convert from one 


protocol to another (TAN 81a: 354).  Value-added 
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gateways are gateways that also do some additional 
processing (like filtering traffic by security level, 
encryption/deeryption processing, or guard functions); 
ESC's gsteways are all value-added gateways.) An 
additional means of achieving internetworking is to 
force a common protocol set among all networks for 
purposes of homogeneity. 

In any case, not all of these safeguards, threats, 
and characteristics are applicable to this model. The 
next een shows the relationships of the above 
concepts to the SLN model developed. It addresses the 


assumptions made and the physical constraints which 


define the network's many requirements. 


Model's Security Assumptions and Safeguards. 

Physícal Security. Without physical security, no 
other security safeguard is effective (WOO 81: 70). The 
SLN designed in this thesis will have guaranteed 
physical security. It will be located in a secure 
building which has active and passive safeguards. All 
the resources/hardware will be in rooms that will be 


further secured within the building. Furthermore, all 


18 








oe? 


a 


equipment, as well as the transmission lines, will be 
sheathed to shield against electromagnetic emanations 
which would permit eavesdropping. Access controis at 
each node will insure against the possibility of someone 
aan, node illegally accessing resources at another 
node. 

A More Secure Transmission Medium. There are two 
major choices for transmission medium for this 
network, coaxial cable and fiber optics. A comparison 
of the security characteristics of these two media 
follows. 

If the transmission medium chosen were fiber optics 
instead of coaxial cable, tapping would be more- 
difficult (W00 81: 70). Also, because the media will be 
physically secure, another critical security advantage 
of fiber optics over coaxial cable is found in the realm 
ef electromagnetic radiation. Unlike coaxial cable, 
electromagnetic impairments are nonexistent in 
transmissions over fiber optics medium (CLA 81: 23; HOM 
80: 980-981; KEN 83). Finally, encryption techniques 
can be applied with fiber optics just as well es with 


coaxial cable (WOO 81: 73). 
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Because of the above mentioned characteristics, 
Pres optics is a more secure transmission medium and 
worth any additional expense. Table 111-4 (on page 50) 
summarizes the characteristics of both media. 
Encryption:  Advantapes and Disadvantapes. 
Simmons (SIM 79: 314) and Popek (POP 79: 332-333, 335- 
336, 338) consider encryption to be the only way to 
send information over unsecure media and the best way 
to improve security and message integrity. Wood 
states that “cryptography is the only cost-effective 
control" against many threats and is essential for the 
maintenance of message integrity (DAV 81: 155, WOO 81: 
71). 

Es also argues that encryptíon helps 
provide secrecy and integrity. But Simmons warns that 
it is not perfect and is best used in authentication 
(SIM 79: 314, 322). Popek and Kline also recommend the 
use of encryption for authentication (POP 79: 336); but 
they categorically state that it does not provide 
protection against inadvertent or intentional 
modification of data (POP 79: 338). (The use of checksum 


techniques can provide a modicum of protection in this 
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area (RUS 83).) 

Therefore, encryption is but one control, not a 
panacea, and is useless without physical protection (WOO 
81: 70). But it helps achieve secrecy/confidentiality 
(i.e. protects data and the source and/or sink fron 
disclosure), it preserves data integrity, and it allows 
for the introduction of enciphered signals to conceal 
message length and frequency statistics which are 
critical for traffic analysis (LAN 83: 87, WOO 81: 71). 
Wood emphasizes end-to-end rather than less secure and 
more expensive link-to-link encryption. But the use of 
both methods simultaneously does add an additional 
degree of security. Wood also believes that encryption 
is vital because it can provide message, user, and 
process authentication and validation assuring integrity 
of transactions (WOO 81: 74). 

Kent states that encryption (and all other 
Security requirements and tasks) can cause 
unacceptable overhead that adversely impacts upon 
network performance (KEN Bla: 785; also supported by RUS 
83: 55-57); but it is the most effective countermeasure 


(KEN 83; LAN 83: 87; SEA 83: 54-58). Furthermore, these 
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adverse effects can in part be offset by high speed 
communicetion links (KEN 81a: 785). г 
Encryption will be the primary means to maintain 
security within the network. It is a good way to 
et against alteration of message contents and 


message insertion; and it preserves data and 


transaction integrity (LAN 83; NES 83; POP 79; SIM 79; 


WOO 81). 

Model's Encryption. Stillman's advice on 
encryption is "rather than attemptin, to separate 
multi-level users by monitoring and controlling data 
accesses, end-to-end encrypticn artempts to disguise 
the data at the source, maintaan them in 
unintelligible form all along the communications 
path, and decrypt them only at the destination" (STI 
80: 1473-1474). This advice is followed in the 
model. All transmissions over the network are 
encrypted twice. But, agreeing with Stillman (and 
Rushby and Randell) that security often rests on the 
secrecy of the key rather than the algorithm, this 
thesis will not have algorithm selection nor key 


distribution techniques within its scope. 
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In this model, there are two levels of 
encryption which combine link and end-to-end (in nie. 
case source host computer-to-final destination host 
computer) techniques. The inner level is 
undecipherable to all nodes except the one to which 
the message was addressed (i.e. a separate key for 
each pair of source and destination nodes conforming to 
end-to-end encryption). Furthermore, a distinct and 
different key is used to encrypt each message. The 
outer level of encryption is link-to-link and uses 
another key (which is unique for each channel and is 
changed periodically) known to all physically connected 


pairs of nodes which will contain, along with other 


and protocols associated with proper message handling 
are discussed in Chapter III. 

Miscellaneous Issues. All issues pertaining to key 
management (i.e. generation, distribution, and control), 
which were assumed trusted, were beyond the scope of 
this thesis. Remcte key generation and distribution was 
assumed available through trusted components. Also 


beyond the scope were the interfaces between the SLN 
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and any other network. Therefore, security of the 
communication links into the net from areas outside of 
the buílding was assumed adequate. Access was in 
sccordance to the principles delineated by Kent end 
ea by Ames. Ali three factors presented by 
Downey for access control (which he defines as 
clearance/classification, compartmentalization, and 
need-to-know) were considered (SCH 73: IV-25-26). But 
all these safeguards were not within the scope of this 


thesis. 


Summary. 


The security of the network will be established 
on four key points. First and foremost, because without 
it no security is possible, physical security will be 
assumed. Then, all equipment used will be sheathed as 
required to protect against electromagnetic emanations. 
Next, all transmissions will be source host computer-to- 
final destination computer encrypted with message unique 
keys as well as encapsulated within link-to-link 
encryption which uses different keys for each channel 
which are periodically changed. Finally, Kent's and 


Downey's security access principles vill be assumed 


24 





\ 
4+ i 


Е 


& 


г 


~ 
> 


gp. 
> 
~ 
4 
1 
- < 
~ 
| 
| 
| 


Ұ аж 


Y ж y. E т ” = 
im љљ, 57 


t Di aa 
* M m um 


* 


| = ОД 


DA 
m: 


a a r^ "n С > 


әлует 
% 


pro me y me TT LAA IATA AIN T, 
“гр” y ER > CAI PO Wa 








SAW CAE 


9 p g gy w P e 
CEO EE, 


“Ж 


MY 


і A Jh se 4” 
“ гр го 


е А А.8.6. 


т 
5 


|" | 
• 
e 


е е 
е ° , * 
e e e ^ > е 


> 





ә. 


Я 
ae 
implemented on trusted systems. 
The next chapter presents a detailed discussion 
of the model and how it was designed bearing in mind the 
security constraints elabcrated on in this chapter. 
... 
SR 
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Chapter III: The Model 


Overview. 


This is a zodel of a local host-to-host computer 
network which will be used to support distributed 
processing and will concurrently support two different 
levels of security classifications. Security 
requirements will be considered at each step. 

Additional requirements which tne design should meet are 
that the resulting model portray a network: 1) that is 
maintainable, 2) that is fault tolerant, 3) whose 
arrival and service rates can be varied, and 4) whose 
traffic, the composition of which can also be varied, 
can be limited to database transfers (which will be at 
least 50 percent of the traffic) and "bursty" 
interactive work primarily associated with distributed 
processing.  "Bursty" traffic is defined as messages of 
less than 16334 bits. (It was determined that up to 50 
~- but not more than 80 -- percent of the bursty traffic 
would consist of a single screenful of data, this was 
calculated to be less than 16K bits (HOE 83). The 
database transfers are messages averagíng 100,000 bits. 


Database transfers will range between 100,000 and 
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900,000 bits. As specified by ESC/AD, the network will 
consist of seven nodes; three of the nodes will ut 
conmunication nodes providing connectivity to different 
external long haul networks and four of the nodes will 
be application nodes. 
This chapter discusses how and why this 

particular model was developed. It addresses itself 
to decisions concerning the topology, 


the network | 


control, 


and the protocols. At each Step, all 


pertinent information, especially relevant security 
considerations, and the options available are presented 
along with the decisions made. It concludes with a 


summary of the model. 


Topology. 


When developing a local network, one of the 
first decisions involves the choice of backbone 
topology. (This thesis does not include a discus- 
Sion of the local access topological design since 
the research was directed to a host-to-host network. 
terminals, 


The connection of the hosts, and peripherals 


to interface message processors (IMPs) is not within the 
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scope of this thesis. 12 is assumed that the nodal 
hosts are connected to a peripheral local area ek 
or that the peripherals are directly connected to their 
nodal host.) This decision is affected by such issues 
as topological simplicity, ease of implementation, 
message transmission control, fault tolerance and 
reliability characteristics, and the work the network is 
expected to perform. In this particular case, the issue 
of security considerations could be and were relegated to 
the protocols, but they permeated the selection process 
of topology, too. 

There are three basic topologies applicable to 
the backbone of a local network to choose from: the 
tar, the ring, and the web (CLA 61: 19-20). These 
topologies are shown in Figure 111-1. It should be 
noted that the same topologies are often known under 
different names. These aliases are presented in Table 
111-1 (page 32) after a discussion of each of the three 


basic categories. 
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Figure 111-1. Topologies: a) Star Ь) Кіпр с) Web 


Star Network. The star network is a simple 
structure. Unlike an uncontrolled topology, the 
star eliminates the need for each node receiving a 
message to make a routing decision to forward the 
information by centralizing all message decisions in 
one node (BAS 1: 366; CLA 81: 19-20; HAB 80: 964- 
965; PEX 79: 166; STA 80: 53). 


While this centralization seems at first to be 
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an excellent way to maintain security over all 


traffic; it provides potential availability problems 
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if, for example, the central node fails (СТА 81: 
21). A standby redundant control node configuration 
could overcome this problem. But in any case, the 


central node could become a bottleneck for traffic (HAB 
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80: 965) and it presents to the intruder a tempting 
target at which to disrupt the entire system. 

Ring and web topologies attempt to overcome the 
нате vulnerability by eliminating the central 
node without completely sacrificing simplicity (CLA 81: 
19-20; TRO 81: 7-11). 

Ring Network. In ring topology, we find 
messages going from node to node along undirectional 
links until it arrives to its destination. Since 
each node only has to recognize if the message 
has arrived at its final destination or else 
transmit it to the next node in the line, routing 
decisions are kept to a minimum (WIL 80: 507). 

But single loop rings suffer from poor fault 
tolerance (TRO 81: 53; WOL 81: 149). .Fortunately, 


this problem can be overcome with multiple loops 
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(PEN 79: 171-172, 228; TRO 81: 53, 73-74; WOL 8): 
150). | 

Web Network. The web is characterized by 
having all processing elements attached to a common 
channel which is employed in a broadcast mode (CLA 
81: 19-20; PEN 79: 166; TRO 81: 73-74). It is 
superior in fault tolerance (BAS 81: 366); but 
suffers from control problems in the areas of 
Synchronization, flow, and error control (HAB 80: 965). 
Furthermore, for reasons of security, it is not 
acceptable. Let us next examine the cecurity appli- 
cable issues. : 

in a secure network, a clear audit trail for each 
transmission is required so that message arrivals can be 
verified. Each message should only have on desti- 
nation. With only one destination, security control 
over the traffic is simplified and it is easier to 
identify which messages are lost or inserted without 
authorization (whether or not the cause is from mali- 
cious acts or by spurious system errors). Therefore, 


broadcast modes are not desirable. Because of this and 


related security complications which arise from broed- 
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cast modes of operation, the web networx is unacceptable. 


Table III-l, derived from the works of Bass, Clark, 


Habara, Penney, Stack, Tropper, and Wolf (BAS 81: 366; 


CLA 81: 19-22; HAB 80: 964-965; PEN 79: 165-166; STA 80: 


83; TRO 81: 7-72, 73-"4; WOL 81: 148-150), summarizes 


the attributes of the topologies discussed. 


Table III-1 
Comparison of 
Controlled Netwcrk Topologies with Aliases 


Network 

Name 
and 

Aliases 
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Advantages 


Part I 






Simplicity 
of design 
Localization 
of damage in 
case of fault 
Ease of 
incremental 
growth 
Simplicity 

of routing 
Potential 
centralization 


of all security| 


tasks 
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1) 


2) 


3) 
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Disadvantages 


Traffic 
inefficiencies 
due to central 
node 


Central node 
failure shuts 
down network 


From a security 
perspective 
central node 
vulnerability 
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ТаЬ1е 111-1 
Comparison of - 
Controlled Network Topologies with Aliases. 
Part II 


Network 

Name 

and | Advantages 
Aliases | 


Disadvantages 


1) Traffic 1) Design 


efficiency 
due to high- 
way capacity 
Short average 
circuit 
length for 
intra-ring 
calls 

Good fault 
tolerance 
with multiple 
loops 

Good message 
audit trail 
Relatively 
few routing 
decisions 


High degree 
of fault 
tolerance 
High degree 
of 
flexibility 
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moderately 
difficult 


Incremental 
growth more 
difficult 
than for Star 


Design very 
difficult 


Route 
processing 
difficult and 
further 
complicated 
with security 
controls 
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Topology Decision. This analysis led to the 


d "NI — 


decísion to opt for some form of a ring topology. 


The advantages of ring networks speak for 


= = 
fs 


themselves. King networks are relatively simple to 


implement, relatively easy to modify (i.e. easy to 


add/delete processing elements/nodes), have relatively 





low start-up, modification, and maintenance costs (ТКО 


лаје щ M * Я С 


61: Pp. 8-9, 73), have a high degree of bandwidth 


efficiency, and, with the advent of multiple-loop ring 


DSL te 





networks, the fault tolerance problems can be overcome 
while minimizing securíty problems (FAR 81: 135; PEN 79: 
172, 228; TRO 81: 53-55; WOL 81: 148-150, 158, 162). 
After deciding which topology to use, the next 
issue to be resolved is what network access control 


scheme to apply. Controlling transmission over a 








network is an important design issue (CLA 81: 19-20). d 
When can a user gain access to and control over the 


transmission medium to enter data onto the backbone? 





Network Access Control. 





There are many different network access control 





schemes that are applicable to a ring topology. 


This section presents four of these strategies and 
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discusses which was chosen to gain access onto the 
network's transmission medium. The first strategy 
to be examined is known as contention or random 
access. This strategy is most often encountered in 
bus topologies; but it has also been suggested for ring 
topologies (CLA 81: 21; PEN 79: 166). The next three 
are considered the "basic" ring access strategies (BUX 
81: 1465; CLA 81: 20; TRO 81:8). 

Contention. Thre are many contention 
Strategies (TRO 81: 77). In a contention scheme, 
any node wishing to transmit does so. If two (or 
more) nodes transmit simultaneously, a collision 
occurs which will theoretically result in garbled or 
lost transmissions. Therefore, one contention 
control strategy (carrier sense multiple access -- 
CSMA) depends on the node that transmits detecting these 
collisions and, when it does, waiting a random amount of 
time before attempting retransmission. Unfortunately, 
as the number of nodes increases, performance 
deteriorates. 

Also, contention schemes are better suited for 


"bursty" traffic. This is because contention schemes 
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lead to a very low limit оп the percentage of channel 


capacity which can be utilized without causing the 


network to overload (saturate) with retrznsmission 


traffic (BUX 81: 1470; CLA 81: 20-21; LIS 83: 30; STU 83: 


72-76; TAN 81b: 469; TRO 81: 76, 131-133). This 
disadvantege of the contention scheme relates to the 
complexity of the transmit/listen/retransmit if 
collision detected control technique. Over a ring, the 
propagation delay is a limiting factor (SALW 83: 184, 
190). How long should a node listen for a collision? 
The unidirectional flow of messages from node to node 
provides a natural ordering of all nedes that should 
permit a much lower collision rate (CLA 81: 21). Also, 
a contention scheme could be implemented between each 
pair of nodes to limit the propagation to one hop; but 
then a message that is not destined to an adjacent node 
has to be retransmitted from every intermediate node 
that it must cross. The difficulty of implementing any 
contention scheme is not necessarily warranted if a more 
feasible network acces: control scheme exists. 

For this model, content-on schemes display three 


major disadvantages. The first critical 
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disadvantage of contention schemes is that they are 
meant to handle primarily "bursty" traffic and not 
the data base transfer transmissions which dominate 
this network. The next disadvantage is the complexity 
of a contentíon scheme -- when a goal is to keep things 
. simple (Chapter I: Methodology, page 4), complexity is a 
disadvantage. The third undesirable characteristic is 
that security will be complicated by contention 
strategies because of "lost" transmissíons. Because of 
these three dísadvantages, contentíon schemes are not 
deemed appropriate for this model. 

Slots. The Pierce loop íllustrates the slotted 
ring access strategy (AGR 78: 674-675; BUX E1: 1466- 
1467; PEN 79: 167-166; TRO 81: 8-9, 21-22; WOL 81: 
149). Іп this strategy, a (one or more) fixed length 
tíme slot, generated and synchronízed by a designated 
supervisory node, continuously circulates around the 
ring. To inform a node whether or not a slot is in use 
("full") or not in use ("empty"), a header is attached 
to each slot. When a node wishes to transmit a message, 
it must wait until an empty slot which it can fill 


reaches it. At that time, the node alters the header to 
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reflect that it is full and then uses the slot to 
transnit its message. The filled slot eventually makes 
its way back to the node that filled it where it is 
recognized, captured, and, if there is nothing to 
transmit, marked empty. If there is more traffic to 
transmit, the slot is reused immediately. It is becaure 
of the ability to immediately reuse s slot that a node 
with a heavy flow of traffic can "hog" a time slot 

¿ro 81: 70). 

The major advantage of this control scheme is that. 
with more than one slot, símultaneous transmission of 
messages can occur (TRO 81: 8-9). This strategy was 
deemed appropriate for this model despite the adverse 
performance characteristics of "loop hogging”. 

Tokens. The token ring access rtrategy is 
illustrated by the Newhall loc» (ACR 78: 675; BUX 
81: 1465-1466; PEN 79: 167-169, 176; TRO 81: 9, 11; 

WOL 81: 148-149). Permission to transmit is passed 
from node-to-node by a circulating token. When a 
node receives the token, it may transmit one 
message. If there is no message to t ansmit, or 


after transmitting one, the token is passed to the 
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next node in the loop. The major advantage of this 
control scheme is that it allows the На ps 
variable length messages (TRO 81: 8-9). Kummerle and 
Reiser categorically state that token passing is 
Superior over a wider range of parameters than 
contention schemes (KUM 82) which provides greater 
potential long-term utilization. This strategy was 
also deemed appropriate for this modcl. 

Shift Register insertion Technique. The shift 
register insertion technique has been applied in the 
distributed loop computer network (DLCN) and also by 


the double distributed loop computer network (DDLCN). 


According to Tropper, the shift register insertion 


technique has the major advantage of the slot 


(simultaneous transmission) as well as the variable 
message length handling ability of token rings (TRO 
81: 9). Penney mentions an additional advantage 
which reflects additional reliability, the shift 
register insertion technique has completely 
distributed control of the transmission system (PEN 
79: 170). But it does have the disadvantage of 


additional delays as the message traverses nodes to 
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its destination (TRO 81: 9). This strategy was also 
deemed appropriate for this model. | 

Control Decision. To decide among the three 
strategies deemed appropriate, an analysis that 
compared them was required. Fortunately, there are 
several sources each of which compares simulation 
results of at least two of the strategies under 
similar conditions. After reviewing these studies, 
the shift register insertion technique was selected 
as the most appropriate because it displayed 
superior perforuance (PEN 79: 234-236; TRO 68-72). 
Table III-2 summarizes the information drawn from the 
various sources referenced in this section from the 
standpoint of this model's requirements. 


The next step was to analyze the protocols required 


to meet the model's requirements. 
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Table III-2 
Comparison of Network Control Schemes 
Applicable to this Model 
Part 1 


= 






















Control | Í Example | 
Scheme of the | Advantages Disadvantages | 


|I Scheme 




















Can have 
low channel 
capacity 
utilization 
2) Security is 
| complicated 
13) Complex 

| implementation 


Best for 
bursty 
traffic 


Contentionf 














| 2) Flexible 
design 
































Pierce Best for 1) Can display 
Loop packet "loop 
switchin; hogging" 
2) Сап (TRO 81: 70) 


transnit 
messages 
simulta- 
neously 
























Newhall 
Loop 





1) Performance 
inferior to 
shift 
register 

insertion 


Can 
transmit 
variable 
length 
messages 
2) Superior 
i performance 
to slot 
3) No loop 
hogging 
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++ 
f ТаЬ1е 111-2 
Comparison of Network Control Schemes  - 
Applicable to this Model . 
Part II 
Control | Example | 
| Scheme | of the | Advantages | Disadvantages 
Scheme 
| Shift | | Can Additional 
| Register | transrit delays upon 
Insertion | variable | message 
Can Requires 
transmit i additional 
messages storage 
sinulta- 
neously 
13) Control 
completely 
=> distributed 
14) Best 
overall 
performance 
Protocols. 

Introduction to Protocols. Protocols are the 
rules and conventions used to control network 
functions. McQuillan and Cerf state that protocols 
are logical abstractions of the physical process of 
communication and they perform three vital tacks: 

1) establish standard data elements, 2) establish 
conventions, and 3) establish standard communication 
^2 42 
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paths (MCQ 78: 1). 

Protocol design is the most critical aspect of the 
model's development. It is here that the procedures 
required to meet various design features are set. 1: 
the procedures are incorrect, the network will not meet 
its requirements. 

A concensus on protocols has been developed; it is 
found in the International Standardization 
Organization's Reference Model for Open Systems 
Interconnection (150 051). The ISO OSI is presented in 

"з 


an introductory fashion in Tanenbaum's "network 


Protocols" and in more detail in his book Computer 


Networks pages 10-21. From the ISO OSI, protocols have 


been divided into seven layers. These layers and their 
interrelationship is illustrated by Figure III-2. (For 
further information, refer to the bibliography under 


McQuillan and Tanenbaum.) 
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pt Figure 111-2. The Seven-Layer 150 Reference Model. 
S (TAN 81a: 11, 16). 
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The transmission medium is discussed first. Then 
the switching method. This is followed by the "s в 
control protocol along with the priority scheme which it 
Supports and the manner in which the transmission 
frequencies are divided to make the priority scheme work 
while maintaining two security levels. A discussion of 
the error handling protocols then follows. Finally, a 
discussion of the security protocols is presented. 

The issue transmission ади to be selected is 
presented here because it impacts upon the switching 
method for message control and that in turn will affect 
the transport protocol. (The protocols for the 
physical, link control, and network and application 
levels are not within the scope of this thesis. It is 
assumed that the various standards which have been 
developed for the lower three levels are followed. The 
only point concerning this model is that of link level 
encryption. It is assumed that appropriate equipment is 
available to perform this task automaticaily and that 
this task is handled adequately.) 

Switching methods are those techniques that affect 


how the various users share the transmission mediun. 


LJ 
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The choices considered are circuit, message, and packet 
switching (MCQ 78: 12). Each of these methods exhibits 
different properties which affect transmission 
efficiencies. Circuit switching establishes an end-to- 
end dedicated path before any data can be transmitted. 
Message switching does not establish this circuit in 
advance; instead the network makes its transmission 
decision at each node for the next hop. Packet 
switching, which is best suited for interactive traffic 
(ТАМ 8lA: 116), acquires and releases the node-to-node 
link as required. Table III-3 presents a comparison 

of these three methods. 


Table III-3 
Comparison of Switching Techniques 


Characteristics Switching Method 
| Circuit Message Packet 


Dedicated Connection | | у Ко 
Delays w/ Congesrion í | Yes 
Storage Required | Temporary | 


Transmission Line No 
Monopolized | 

Speed/Code Conversion [ Yes 

Error Control Some 

Real Time/Interactive | Yes 
Bursty Traffic 
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Flow controls ensure proper functioning of the 
communication channels with respect to message 
transnission and reception. The main goal ої flow 
control is to avoid overloading a node (CLA 81: 29; 
МСО 78: 24; TAN 81b: 477). Also included in this 
area is the traffic monitor which enforces flow 
controls and which 1) supervises queues and the 
algorithms that permit the entry/exit of messages, 2) 
ínserts dunmy traffic that disrupts traffic ЕТЕ 
by an intruder, 3) checks for lost or unauthorized 
messages, and 4) monitors the loop for transmission 
link breaks/faults. 

An error/fault detection/correction protocoi is 
necessary due to the sensitive nature of the 
information to be transmitted by the SLi and by the 
time sensitivy of the same. Detection and 
retransmission was the obvious solution for two reasons. 
First, there is no need to implement a costly error 
correction process when the transmission medium, fiber 
optics, supports very low error rates making the 
probability of retransmissions due to bit errors very 


Slight. Second, security is an overriding concern which 
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is best served uw reoursting retransmissions as required 


instead of attempting corrections. _ 

The use »f cyclic redundancy code (CRC) checksums 
was the best means of detection over gimpler paríty 
checking mechanisms that would be inappropriate for 
traffic that must always be correctly interpreted. 
Furthermore CRC ís capable of detectíng a greater number 
of errored bits (MCQ 78: 23). The parity checking is to 
be implemented at the data link layer. Other parts of 
the M or function are required to handle link breaks 
(which is handled in the network layer) and message 
deletions and insertions (which are handled in the 
transport level). 

Internetworking ís a major concern ín this SLX 
since three of its nodes (designated as communications 
or "C" nodes) serve as gateways to external long haul 
communications networks. As gateways, these "C" nodes 
perform three functions: 

1) network access protocol 
translation/conversion 

2) packet size matching 

3) speed matching and synchronization 


The most complicated function, that of protocol 


translation, was simplified when the Department of 
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Defense (DoD) decided to approach the internetworking 
issue by declaring a set of internetworking protocols 
standards for the DoD community's host-to-host deta 
communications networks (DOD 82). The Internet 

en (IP) developed by the Defense Advanced 
Research Projects Agency (DARPA) on the ARPANET ís the 
DoD internet standard. Interoperability was further 
improved by the DoD declaring the Transmission Control 
Protocol (TCP), to be built above IP, as another 
standard for its host-to-host data communications 
networks (DOD 82). The Air Force followed suit by 
declaring the same standards for all of its networks 
(USAF 82; USAF 83). 

For complete DoD compatibility, other protocol 
sets to handle terminal (TELNET) and bulk file 
transfer (FTP) applications are required. (The TELNET 
and FTP protocols are built above TCP/IP.) 

Eventually, DoD standards will be established for 

these functions, too. Dr. Stillman (Technical Advisor, 
USAF/SIT) strongly supports this approach; she feels 
that TCP/IP standard protocol sets (and those protocols 


built upon TCP/IP yet to be declared as standards) will 
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meet the requirements of at least 95 percent of the 
DoD's users (S71 83). т 

Finally, sccess/security controls are those that 
perform the necessary and proper checking of a job 
Frauke. These checks ínclude authentication of the 
user, verification that the user is authorized to use 
each requested resource, and a complete mediation 
check which ensures that the user is indeed on all 
the pertinent access rosters for all the resources, 
requested and that the desired resources can be used 
in the requested combination. But the only access 
control protocols which will be examined and 
considered pertinent to the model are checks to see 
that the job is requesting a node which it can access 
and verification of the legality of the priority 
requested. Other security controls are assumed 
properly enforced at the node of origin and re- 
verified at the node of destination. 

Transmission Medium. There are two choices of 
transmission medium. It could either be coaxial cable 


or fiber optics. In the first chapter, the security 


advantages of fiber optics were discussed. In Table 
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111-4, a comparison of both mediums is presented. Fiber 
optics are the best choice of transmission mediuz for 
this SLN. Fiber optics are strongly recozszended as the 
transmission medium for this network because of its 
superior electromagnetic emanation, error rate, tapping, 


and isolation characteristics. lt was assumed that this 


recommendation will be followed. 
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Table 111-4 
Comparison of Coaxial Cable and Fiber Optics. 










Coaxial Fiber 
Cable 
——— 


CHARACTERISTIC 











(ES oe ee 





Relative cost outlook 



















a) currently inexnensive Yes No 
b) potentially inexpensive Yes Yes 
2) Small diameter/weight No Yes 
3) Supports frequency division Yes Yes 
4) Supports megabit Yes Yes 
transmission rates 
5) Supports extremely high No Yes 
bandwidths (800M bits/sec) 
6) Supports point-to-point Yes Yes 
or broadcast operation 
7) Supports integrated services Yes Yes 
8) Supports encryption Yes Yes 
| 9) Relatively immune to noise Ye Yes 
10) No crosstalk No Yes 
| 11) Radio Frequency Interference Yes No 
12) Electromagneti^ Interference Yes No 
13) Electrical ísolation problems Yes No 
14) Very low error rates No Yes 
15) Tapping more diíficult No Yes 






Bidirectional (HAB 80: 960) 






One way to more efficíently utilize a 


transmission medium is to apply a multiplexing 
technology. Multiplexing is a method by which more 
than one channel of communication are combined into 
one. The approach selected for this model was 


frequency division multiplexing. 
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Frequency division allocates a particular 
section of bandwidth to each channel all of the time 
(MCQ 78: 10). With this scheme, potentially only a 
fraction of the traffic willbe intercepted if a tap 
with incomplete frequency coverage does occur. This 
limits the traffic that an eavesdropper can listen to 


and adds a degree of protection against 


unsophisticated intruders. The increased level of 





sophistication required for such a comprehensive 


Ho UR 


full-coverage tap can serve as a deterrent to some 
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ХА frequency assignments at random intervals. For this 
Po 
E. thesis, the medium vill be frequency divided in such a 
E. way that each of the message channels vill .::»^rt at 
E least a six megabit per second transfer rate. This 
> is because the size of the data base transfers which 
E. the SLN must support. Figure III-3 illustrates hov a 
ма 
X transmission medium that supports a 60 MBPS 
AN 
A transmission rate could be divided to support two 
Bo security classifications and three message 
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се Channel A: Flow Control Messages 

N 

| Channel B: Security Level l, Routine 
uS 

= Channel C: Security Level 1, Overnight 
RS 

` Channel D: Security Level 1, Immediate 
2 Channel E: Unused 

Н Channel F:. Security Level 2, Routine 
é Channel G: Security Level 2, Overnight 
Pr. 

n " Channel H: Security Level 2, Immediate 


Channel 1: Unused 
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Channel J: Unused 
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NOTES: 

1) Each channel (there are ten shown) 
supports 6 MBPS. 

2) In a Coaxial cable medium, each channel 
would be bracketed with unused bandwidth 
to decrease crosstalk. This action 
would result in greater fragmentation of 


S 


E 
- : ә 
zi the unused portion cí the bandwidth that 
= would be available for growth. 
PS If the Bandwidth can support it, there 
ІҢ would be more unused channels for future 
E growth of the system. 
г Refer to Priority Scheme section for 
b traffic class definitions (page 58). 
қ” 
V i 
4 Figure III-3.  Model's Frequency Division 
ee ds for an 60 MBPS Fiber Optic Medium. 
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Switching Method. The size of the messages on 
this network will range from just a few bits (bursty 
traffic) to 900,000 bits for the data base To 
avoid retransmission of large data base transfers 
TEM of errors and due to the fact that most of the 
traffic will be data based transfers, each job request 
will be limited to a fixed-size transfer block which 
will consist of a hundred thousand bits for data and 
2,400 bits of overhead (100K bits). Because of the size 
of the data base transfers and as a vay to divide these 
transfers into frames or blocks which will make these 
long data base transfers more manageable without hogging 
the transmission lines when a higher priority message 
must get through, packet switching was chosen. The block 
size selected equals the size of the average data base 
transfer (expected to be 100,009 bits) plus the overhead 
bits for a header and trailer. It should be noted that 
packet switching will support real time applications as 
well as data storage, partial error control, fast 
speed/code conversion, delayed delivery and multiple 
message addressing (MCQ 78: 12). It is because of this 


functional flexibility that packet switching was chosen 
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for the model. The queues in the SLN must be large 
enough to hold the largest number of blocks that can. 
make up one message. 
When a message is longer than the set block 

it is divided into more than one block. 


size, These 


` blocks are labeled to maintain proper sequencing 


when they are reassembled. They are then transmitted in 


order to the next node. Each block is considered and 
handled as if it were an integral and complete message. 
But at the final destination node the blocks are 
reunited by the transport level protocol to form the 
original message. 


Flow Control. Traffic flow must be controlled 


to maintain a coherent pattern of transmission which 
will permit the proper monitoring of traffic in this 
SLX and to eliminate loss of messages due to 
insufficient available buffer space (TAN 8lb: 477- 
There are several conventions that must be 


478) е 


established to implement this control. Also, these 


conventions will help create a clear audit trail for 
the conventions are discussed in 


messages. Some of 


this chapter under sections on error, fault, and 
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security controls. 

The first convention in this area is that of 
message acknowledgements. When a message is 
acknowledged, the sending node can delete it from 
its buffer space. If it is not ecknowledged after 
some preset delay tine, timeout occurs and it is 
retransmitted. After a predefined number of 
retransmissions, the problem of message loss due to 
a potential security breach arises. Control is, in 
that case, passed over to the security protocols 
which are covered later in this chapter in the 
sections on error control and security protocols. 

Flow control also prevents one IMP from 
flooding another. Therefore, to avold loss of 
messages due to insufficient buffer space, a 
convention of message credits is established which 
explicitly permit transmission from one node to 
another by informing the transmitting node what the 
receiver's available buffer space is and alloving 
transmission only when that space is sufficiently 
large. This may cause some transmission delay due 


to the wait that may be required while the receiving 
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node's buffer space is sufficiently large. But this 
was considered a necessary cost to maintain proper 
message audits for security purposes. It seems 
feasible to add the capability of flushing the 
receiving node's buffer space with some flow control 
message or with some control information in the 
header of a message to that node 1л the case of high 
priority messages, but this was not included in this 
model. It should be noted that implementing this 
buffer flushing capability could result in 
unacceptable message loss. 

A priority scheme is discussed in these sections 
on protocols because it affects message handling. 

Priority Scheme. There will be three non- 
preemptive priority classes within each of the 
security classifications. These classes are, from 
highest to lowest priority, immediate, routine, and 
overnight. <A round robin technique will be used to 
address the queue of each of the classifications. 

A job request with immediate priority will have 
first call on the networks resources on a first-come 


first-served (FIFO) basis within the inmediate 
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class. No request from the lower priority classi- 
fications can be upgraded to this classification. 

Routine jobs will be routed as БОО las possible 
with a FIFO gueue discipline. They are subject to 
delays only when an immediate job is present. Jobs 
may not be routine if the data base transfer required 
is larger than one half the maximum message size. 
(The request may be routine, but the response may be 
such that the priority will be down graded to 
overnight.) 

Overnight jobs have the lowest priority. 
Messages of this class are released only when jobs 
of the other classifications are not available for 
transmission. Only a very small percentage of all 
the jobs are expected to be classed as overnight. 

From the information provided by Mr. Hoelscher 
(the point of contact for this thesis at HQ ESC), it 
is expected that immediate jobs will occur even more 
infrequently than overnight jobs since only a crisis or 
an emergency will warrant this classification. Routine 


jobs will be dominate in the SLN's traffic. <A few rare 
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jobs will be overnight and will consist of only large 
data bese transfers; immediate jobs will be negligible 
in number. 

Figures III-4 through III-6 illustrate the 
et et ie connectivity and the allowable node Е 
resource requests that may originate at a given 
node. Inthose figures, the alphabetic character 
"C" refers to a communication node which only 
generates job requests and receives answers to these 
Meere. The character "A" refers to an 
application node which responds to job requests and 
which may generate requests of its own. There are 
three communication nodes and four application nodes 
in this SLN. 

Error Control. Dealing with transmission errors is 
inportant. Without protocols to handle errors, accurate 
communication is not possible (KEN 85; МСО 78; РЕК 79; 
STO 80; TAN 81a; TAN 81b). The reliability of these 
communications can be greatly inproved íf there is a 
high probability that few if any errors go undetected. 


The protocol primarily responsible with error control 


and reliable link-to-link transmission resides in the 
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data link level. It has been already mentioned that a 
transmission medium with a very low error rate ís- 
desireable (Table 111-3). To further improve upon he 
reliability of the communications an error detection 
chen Nen is then necessary. 

As Tannenbaum explains, errors can be handled in 
two ways (TAN Bla: 126). One strategy is to iaclude 
enough information to the message that allows the 
receiver to deduce if an error has occurred and have the 
message transmitted. Another strategy would be to add 
enough information to not only deduce that an error has 
occurred, but to also correct it. The second strategy 
is nor very efficient if the transmission medium 
supports very low error rates. Since the selected 
transmission medium is fiber optics (which supports very 
low error rates), the first strategy was selected (MCQ 
18123, ТА Bla: 129). 

Тре means of detecting the error can be as 
simple as a parity check. But greater reliability 
can be achieved by a cyclic redundancy code (CRC) 

(PEN 79: 227). Therefore, it was assumed that each 


block that is transmitted within the SLN has a 
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trailez which provides enough bits of information to 
implement а CRC scheme at each node. Furthermore, 
due to the need for error free communication, the 
CRC can be supplemented vith a simple scheme that 
HET each transmitted block ав а rectangular 
matrix of n by m bits. Іп this scheme, a separate 
parity bít is computed for each column and is 
affixed to tre matrix as an additional row which is 
then transmitted as part of the trailer. In either 
case, the data línk protocol is charged vith ensuring 
reliable link-to-link communications. 

(A discussion of either the polynomial that would 
be employed for the CRC scheme or how to perform the 
5225, scheme is not within the scope of this thesis. 
But a good general discussion of both techniques can be 
found in Tanenbaum's text.) 

Also within this area is the question of what 
should be done if after several transmissions an 
error iree communication is not achieved. First, 
the fault protocol at the transmitting node's network 


layer (which is waiting for an acknowledgement) is called 


to determine if the link between the nodes is not 
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functional. If the determination is a link fault, then 
transmission is attempted on the alternate loop. 1 
that also is not possible, the node so informs all 
linked nodes and each node's table of aveilable paths is 
updated to reflect that no traffic can reach a 
particular node or set of nodes. Also, if the receiving 
node continues to receive a message that it has 
acknowledged and which is still in its buffer, it also 
calls the fault protocol to determine if there is a link 
fault. The availability of two loops increases the 
probability that the nodes will still be linked after 
one or more link faults. If a message is deened 
undeliverable because the addressee cannot be reached, 
the sender is informed and the message is flushed. (A 
simulation of the fault-tolerance and redundancy aspects 
of the SLN is not covered within this thesis. Wolf's 
work addresses this problem in some detail for a 
distributed double-loop network.) 

If the problem is not a fault, it could be a 
more subtle problem and both the security and 


maintenance people at the SLN would be notífied and 


the message would be continuously transmitted until 
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the maintenance people can attempt to check the 
problem out or the message is successfully 


transmitted. 


Security Protocols. The main security 


protocols this thesis is concerned with deal with 
encryption. The línk-to-link encryption (implemented in 
the data link layer) is essumed automatic and reliably 
implemented. It is the source host-to-final destination 
host encryption (implemented in the transport or 
presentation layer) which provides the necessary 
additional level of security required for the SLE. 

The key used for the línk-to-link encryption 
between each pair of nodes protects the entire packet of 
information transmitted. Each packet's deta is also 
encrypted with a code used only between a given source 
and destination node for that security classification 
and for that particular session. This dual encryption 
technique forces the intruder to know both codes to get 
to the information when it is most vulnerable, during 
transmission. A further enhancement is that these codes 
change periodically, with each session. In this manner, 


an intruder will be limited to the session(s) for which 
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he nas all the codes and not all sessions. The remote 
keying mechanism and the session level protocols that 
this would entail are not within the scope of this 
thesis. But the overhead in resources and processing 
Bone that security forces upon the network is expected 
to be relatively high. 

The fact that nodes communicate with others at 
particular security levels allows for a design that 
denics the installation of equipment capable of decoding 
the traffic that a node is not allowed to access. 

Thus, each node will have, in addition to the link-to- 
link encryption/decryption machines for each channel, a 
pair of encryption/decryption devices for messages that 

it receives/transmits (one set for each security level). 
(It may be possible that one remote keying device serve 
all security levels.) In this model, the maximum number 
of nodes any single node can communicate with is three and 
all them fall under the same security classification. 

Only node C3 communicates in two different security 


levels and only with one node in each case. (Refer to 
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Figures 111-5 апа 111-6.) 

Another aspect of security is the need to deny 
the potential enemy reliable traffic analysis. 
Therefore, there is a need to have fake or dummy 
ee in the transmission stream. The security 
protocols will also control the transmission flow of 
dummy messages. 

Dummy Message Control. Whenever there is no 
message to transmit from a security classification 
(remenber the round robín aspect of these 
transmissions) and there 13 available buffer space 
at the next node, a single block with randomly 
generated bits is transmitted to the next node and 
then flushed from the queve immediately. The 
channel is selected by analyzing a random number 
which will control what percentage of the time a 
message should flow in that channel when there is no 
traffic. The header information for this dunmy 
message will tell the receiving node that this is a 
trash message so thet it is flushed from the buffer 
immediately. No acknowledgement is required. It is 


suggested that this dummy traffic travel primarily 
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a there normally is no traffic on these channels would 
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certainty to a monitoring eneny. 

However, the price of denying traffic monitoring 
with the use of dummy traffic should be analyzed 
further. The impact of this traffic could significantly 
affect throughput of real traffic. Such delays may be 
considered unacceptable while the security risk of 
allowing potential traffic monitoring could be considered 


justified by the responsible authorities. 








к Summarv of the Model. 





Ее The next three figures present the dual ring 
г X 
EMT topology of the model and the required traffic 
pe 
Ши сее = 1 
EV connectivity. Figures III-5 and I1JI-6 are specially 
Im E 
ei important because they define the logical link by 
Ку: 
AE allowable security classes among the nodes. There are 
D three facts that stand out from those two figures. One 
|... is that node C2 does not generate any classification |] 
, E 
tJ traffic and that node Cl does not generate any 
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pos classification 2 traffic. The second is that node Al is 


the only recipient of classification 1 traffic and that 
noce Al cannot process any classification 2 traffic. 
The third and final fact is that only node C3 

ОЕ in two different security levels and only 
with one "A" node in each case. Then Figure 111-7 


presents a summary of how traffic is processed within 


each of the network's nodes. 


| g--- [NODE] ----- 


— ee eS pm 


1 


NOD El КОБЕ ПОЕ КОРЕН -— 
oA ui A2u] 7^ A3 || As 


Direction of Flow: 
4=-------- for the clockwise loop 
a for the counterclockwise loop 





Figure IIl-4. The Dual Loop Network for this Model. 
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No Logical Job Connection 


Figure 1 


Security Classification 1. 


No Logical 
|Job Connection 


Figure I 


Security Classification 2. 
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11-5. Allowable Traffic for 


A2<->A3<->A4 





II-6. Allowable Traffic for 
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Packet from | | Packet 
another node generated internally 
2). 52-0 
i ! 
! ! 
(3) с) 
: i 
(5)--------9 (1) © 
i 
(J) 
Next Node 
Packet Header = Message ID : Packet Sequence : 
Number of Packets in Message : 
Priority : Destination : 
Security Check Bit 
Message ID = Source Node ID + unique number 
Packet Sequence = Sequence number of packet for 
message rebuilding 
xE Number of Packets = Total number of packets in 
Са? message for message rebuilding 
Priority packet/message priority 
Destination final destination (node) 
Security Bit marks net transaction as 
security is checked 
Packet Trailer = CRC : Parity Check Info 
Packet = Header : 100,000 bits data : Trailer 
Figure IIl-7. Packet Control at SLN Node. 
Part 1 
ы, 
5 70 
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if flow control packet then 
if acknowledgement then erase acknowledged 
packet from buffer and send credit р 
packet to neighbor nodes 
else if credit then 
update credits for node affected 








3 go to I 
if retransmission request then 
get requested packet and go to J 
verify checksum and parity correct 
if detected error and 
retransmission counter > a max count 
then notify nodes of problem 
set notification flag 
reset retransmission counter то 0 
go to I 
if detected error then 
request retransmission 
add 1 to retransmission counter 
go to I 
if no error then 
reset retransmission counter to O 
send acknowledgement packet 
decode HEADER 
go to 2 
| (2) : if CRC and parity checks 
and security checked 
and final destination is this node 
and message complete then 
sequence the blocks 
decode the entire message 
go to 3 
else if no error and security checked 
and for this node then 
strip trailer information 
restore in buffer 
go to I {* msg not complete *} 
else go to 4 {not for this node *J 

































Figure III-7. Packet Control at SLN Node. 
Part 11 
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B 1(3) : send on to computer resources (vía DMA) 
^. overwrite buffer space with 0's and 1's of 
E the just transferred message : 
к send credit messages 
ge go to I 
К (4) : recode Header 
Ww (5) : send to proper queue 
45 within security classification 
= 
ја: i(a) : divide message into blocks 
H | encode message by block 
еы (b) : compute CRC and parity checks 
ES attach Trailer to block 
VN encode Header 
a (с) : send to proper queue 
8 within security classification 
gre, . 
2 2 (Т): choose next packet to transmit 
E using credit information for that node 
A (Round Robin of classification queues, 
~“ „ FIFO within queue.) 
H Q^ if no message to transmit in either queue 
~ then poll queues 
5 until interrupted by a message arrival 
d or until a message can be sent 
ds (J) : transmit chosen message on correct channel 
if not retransmission then 
4 decrease credits of node message sent to 
A 2. go to I 
E A head-in required to do band selection is 
e available at each node due to the different 
| p channels to be selected. 
5 
№: Figure II1-7. Packet Control at SLN Node. 
| d Part 111 
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From the preceding four figures, it can be seen 


that the designed SLN has a dual loop ring topology with 


‚a store and forward scheme. As transmission medium, the 


SLN uses fiber optics for point-to-point communications. 
The frequency division multiplex technique is applied to 
the medium to provide multiple channels to implement 
multiple security levels. Packet switching with a block 
length equal to header and TEL length plus the 
average data base transfer message length, 100,000 bits, 
is used to handle variable length messages. Block 
length is fixed at 100K bits. This, along with the 
creation of dummy traffic, will hamper traffic analysis. 
Dummy traffic will provide an additional degree of 
security. Acknowledgement and credit conventions have 
been adopted to avoid message losses due to insufficient 
buffer capacity at the receiving node. There is one 
queue for each classification. Each queue is long 
enough to hold the maximum number of blocks which can 
make up one message. Each queue is ordered according to 
one of three priority classes. When the entire message 


arrives at its final destination, it is decoded. Error 


correction will not be implemented. Insteac, correct 
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data reception will be provided with an error detection 
scheme. This error detection scheme will be implemented 
using both CRC and parity techniques. This combination 
of techniques will yield an extremely low probability of 
missing any errors. lt will also help in the detection 
of message stream modification when an intruder is not 
sophisticated enough to properly modify the CRC and 
parity check fields. Additional memory space is 
available at each node to provide a work area for 
decoding the message headers without altering the 
message in the buffer. But when the entire message is 
being decoded, the decyphered text is held in the 
message buffer until it is transfered to the host 
Mte. This transfer is performed, for the model's 
purposes, instantaneously using direct memory access. 
Upon completion of the transfer, the area where the 
decoded message resides in the buffer is overwritten 
three tines with l's and then three times with O's to 
help provide an additional measure of security. 
Security is maintained during transmission 
through a two level encryption process which combines 


link-to-link as well as session specific source host- 


74 








- 
ERO E mda E. SER Mn -= инр 





Я: 


to-final destination host encryption. Actions 
relating to the session level security aspects are all 
ignored because they do not fall within the scope of 
this thesis. How a packet is handled at a node is 
illustrated in Figure III1-7 at the start of this 
chapter's summary. 

With the design of thís model complete, the next 
step was to evaluate it. Jackson's Theorem wis 
applied to the model to enable an analysis of the 
network's operation in the environment defined above. 
Chapter IV discusses this analysis and an attempted 


simulation of the model. 
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Chapter IV: The Model’s Evaluation 


Overview. 

In this chapter, the analysis of the SLN by 
applying Jackson's Theorem is presented. Then, the 
attempted simulation of the network is presented and 
analyzed. Finally, some conclusions are drawn about the 


model, 


Analysis with Jackson’s Theoren. 
Simplification of the Model. Jackson's Theorem can 


only be applied if the model meets specific constraints. 
A goal of the simplification vas to meet those 
constraints so that analysis using Jackson's was 
possible. REDEEM the simplifícation process had 
to maintain the main elements cf the designed network's 
traffic pattern to lend credence to the results of the 
analysis. Therefore, to streamline the model, several 
steps were taken to highlight the important traffic 
without seriously affecting the results of any analysis. 

The first step resulted in eliminating from 
consideration the generation of external traffic at all 
of the "А" nodes. This was done simply because it is 


expected that no load will be generated which is not the 
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direct result of requests/traffic received over the "С" 
nodes (HOE 83). а 

The next step eliminated the generation of dunny 
traffic. Then, all consideration of traffic which 
would result from an explicit acknowledgement function 
was eliminated. Also, the priority scheme was ignored. 
These three steps were taken to simplify the traffic 
load analysis. 16 was deemed more important to get a 
gross idea of the model's behavior before expending 
resources in an effort that could be terminated early 
on through a simple test. 

The fifth and final step was to assume that the 
packets arrive in order and are fed directly to the 
host when they arrive at their final destination. 

This simplifies the processing at each node and can 
be implemented through protocols. Furthermore, 
because a very low error rate is expected, all 
transmissions are assumed error free; therefore, no 
packages will have to be retransmitted. 

The result of the five steps was a simpler 


version of the network model which did not alter the 


bulk of the traffic flow and, therefore, did not 
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grossly affect the analysis. But, the performance 
results expected from an analysis of a símplified-model 


by applying Jackson's Theorem vill most likely be 


better than those resulting from the application of the 


sane theorem to the complete model. The next major step 
was to see if the model would fit the Jacksonian 
constraints. 

Applying Jackson's Theorem. An analysis of the 
network was necessary to see how the model was expected 
to behave. As stated in the preceding section, the 
network model was simplified to permit Jacksonian 
analysis. After determining the general expected 
behavior of the network under expected САРИ if 
the results were deemed favorable, follow-on studies 
could then be used to attain greater confidence in the 
network's design. If the results of the initial 
analysis were found to preclude the success of the 
design, then redirection was possible without having 
wasted efforts in a detailed and microscopic analysis. 
Figure IV-1 is an accurate illustration of the 


simplified version of the network analyzed by using 


Jackson's Theoren. 
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Figure IV-1. The Network. 
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Due to the traffic that the network supports, each 
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node is actually composed of four components (refer to 


ШАТ. 


Figure IV-2). One component processes classification 1 


traffic that is addressed to that node. Another 


Savy, 


component handles classification l traffic that is 


ка; 


^ enroute to another node. A third component processes 
е.“ 
4 
га classification 2 traffic for that node. The fourth 
» 
p 
H component handles classification 2 traffic that is 
~ GOES 
= 727 addressed to another node. 
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Figure IV-2. Nodal] Components. 
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The reason for this breakdown is that traffic ig 
not uniformly distributed by classification nor е іс 
uniformiy distributed by destination. Furthermore, 
traffic that is not destined for a given node is 
processed differently than traffic that is destined for 
that node. This latter traffic has a longer service 
time. Even though the processing tine at the IMP for 
all traffic is roughly equivalent, additional time is 
required for "this node" traffic due to the response 
which is assumed generated for all traffic from the host 
computer connected to that node. This difference in 
service rate affects performance for "this node" traffic. 
Therefore, the network is actually composed of seven 
nodes each with four servers. 

For traffic that is not addre-*s;ed to a node, a 
fixed, deterministic, processing t me was used to 
reflect the constant time required ror packet handling. 
For traffic that is addressed to a node, each server uses 
an exponentially distributed processing time to which a 
fixed, deterministic time is added. But, to apply 
Jackson's Theorem, some assumptions had to be made. 


Jackson's Theorem stated that the joint distribu- 


81 





РЕ, ть СТЛ Е о о М АА В att, tu mt 


tion for all nodes factored into the product of each of 
the marginal distributions is given as the M тты: t-o 
the M/M/m system (KLE 75: 150). This theorem applies to 
Open networks of queues with Poisson arrivals, FCFS 
queues, exponential service times, and no saturated 
queues (KLE 75: 149, SAU 81: 80-81). Furthermore, 
thanks to Burke's Theorem, a network of multiple-server 
nodes connected in a feedforward fashion still preserve 
the node-by-node decomposition that makes Jackson's 
Theorem so useful (KLE 75: 149). For this evaluation 
all of the conditions were met or could be assumed as 
met for analytical purposes when the service times for 
all traffic was idealized to exponential service rates. 
The deterministic service rate was added to the mean of 
the expected service rate to yield a new exponential 
service rate. This shifted the mean service rate but 
did not totally ignore their deterministic component. 
Having met the necessary conditions for Jackson's 
Theorem, Table IV-1 was developed presenting the arrival 
rates in terms of the external arrival rates to the 


gystem and the necessary performance parameters were 


computed (Table IV-2). 
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Table IV-1 
Mean Arrival Rates for the Simulation 
Using Jackson's Theorenm. 


Node Lenda 
(in terms of external arrival rates) mme 
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Recults. ТЕ was, of course, known that these 
results were idealistic since each node really was a 
single-server and processing tines could be deter- 
ministic depending on the type of tr&ffic being pro- 
cessed. But the careful selection of the parameters 
helped provide confidence in the results of the analysis. 

The computations made for Table IV-2 were based on 
one packet per message, external arrival rate of 0.0001 
nessages per millisecond (i.e., Gl = 62 = 63 » 0.0001), 
a service rete of 0.001 millisecond per packet for "not- 
thís-node", and a service rate of 0.006 milliseconds 
per message for "this node" traffic. This arrival rate 
is considerably faster than the expected and forseeable 
а. traffic load for the network of 100,000 bits of 
raw data per second over one "C" node and 50,000 bits of 
raw data per second for each of the other two "C" nodes 
(HOE 83). This faster rate was chosen to provide 
greater confidence in the results of an analysis 
performed on an idealistic representation of the model. 
The service rates are those expected with the equipment 
that is planned for the actual network's implementation 


(HOE 83). 
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[2] = Class 2 traffic 


Queue Length | 











From the computational results, it can be inferred 
that the designed fullblown SLN model whould provide 


adequate performance and process effectively the bulk 


data traffic that characterizes the expected traffic 


load. As Table IV-2 shows, the system is very capable 
of handling traffic at one packet per message with an 
arrival rate of 0.0001 messages (packets) per 
millisecond and a service rate of one message (packet) 
per millisecond. Even if each message was made up of 
more than one packet, the utilization rate (arrival 
rate divided by service rate) would still be less than 
one. As stated earlier, the chosen arrival rate used 
is an extreme case load that is ten to twenty times 
greater than what could be considered within the realm 
of possibility. Yet, at every point, the utilization 
rate is considerably less than one. Therefore, the 
network should be stable and capable of handling a 


heavier traffic load. 


The Simulation and Throughput Performance. 


The simulation should show how throughput is 
affected by different mixes. Factors that 


influence throughput are the error rate and the 
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resulting retrénsmission, maximum message size, block 
size, medium speed, arrival rates, and service rafes at 
the nodes. Arrival and service rates and message | 
sength are the only variables addressed by the 
thesis; the other variables are left for further 
study. 

Guidance provided by the thesis sponsors limited 
the range of some of these variables (HOE 82; НОЕ 83). 
All traffic entering the system would be uniformly 
distributed over the three communication nodes. (The 
distribution of the classification of this traffic was 
previously addressed in Figures III-5 and III-6.) Short 
bursty transmissions and data base transfers would be 
the only type of traffic. The data base transfers 
would range from 50 to 80 percent of all messages. 
Data base transfer traffic 156 expected to average about 
100,000 bits in length with a range from 100,000 to 
900,000 bits. Three priority classes were generated 
for the model. At least 50 percent of the traffic 
would be routine and traffic for the highest priority 


could be considered rare to non-existent except in a 


crisis. 
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То focus on the network, it was assumed for this 
thesis that each individual host would have its own 
priority scheme and would handle the messages as it 
deemed appropriste. But handling the priority scheme 
was beyond the scope of the analysis performed. Table 
IV-3 shows the areas actually addressed by the 
simulation. 


Table IV-3. Variables Used in the 
Analysis of the Network's Throughput Performance. 


1) Arrival rate 
2) Service rate 


3) Message length (range: 1 to 10 packets) 


Some areas are left unexamined by the simulation. 
Such areas as the impact of link faults, buffer size, 
error rates on the SLN's throughput, are left for 
follow-on projects. This simulation concentrates on 
the three areas identified in the preceding table. 

But how are these areas studied? 

Examining Throughput Performance. The 
simulation program implementing the model had to have 


flexible entries for the features listed in Table IV-3 
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to be examined. Runs were performed changing only one 
of those three parameters between executions. To help 
in the evalustion, the maximum number of packets held in 
each node's buffer for each run was to be kept, as well 
as the number of messages and packets processed at each 
node. This would permit analysis on how variations 
affected results. 

Since the processing of the SLN's traffic 
consumes time and the traffic could not be generated 
in real time, the program had to simulate the passing 
of time. Events are therefore created eand processed 
to simulate this passage of tíme. The program 
implements an event driven simulation. 

The Design Process. Software engineering 
techniques were applied. First, the requirements 
had to be explicitly defined and the functions that 
were to be performed defined and refined until a 
structure chart of modules is fully developed. Most 
of the initial vork was spent on the generation of 
what is illustrated in Figure III-7. It was critical 
to know or decide how messages were tc be proceesed 


at each node so that the network analysis could be 
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deternined. General traffic flow requirements were 
defined in Figures III-4, III-5, and 111-6. i 

| After developing the functions that were to be 
performed at each node (which resulted іп Figure IIl- 
7), 8 chart presenting the functíons to be perforned 
was drawn. Initially, the functions to be implemented 
included retransmissions and flow control. Then, the 
number and diversity of these functions was limited by 
the problems that arose with the language being used 
to implement the simulation and by the mathematical 
tools available to perform the analysis. After the 

ү, decision was made to restrict and simplify the model, 
the next step was to see how the functions necessary 
to simulate the SLN could be grouped or developed. 
This resulted in Figure IV-3. The technique of 
stepwise refinement was used to get the simulation 
down to a level that could lead to code. From the 
very start, a data dictionary (Appendix C) was 
maintained and every effort was made to use names that 
were meanginful. The names of constants, variables, 
procedures, and functions were made self-explanatory 


whenever possible within the constraints placed on their 


ate 


‘ча 
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length by the compiler and by the programmer's 
additional constraint of avoiding multiple lines Toc 
simple data manipulations. Furthermore, the programmer 
evoided nesting of "if" statements to ease d2bugeging. 


This letter constraint could be changed later if code 


optimization were decireable. 
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Figure IV-3. Functions Performed 
by the Simulation Program. 

It was obvious at the start that there would be 
variable parameters in each run. A parameter 
initialization module had to be the first module which 
had to interact vith the user who would input 
parameters. Of special importance was the start time 
for statistics collection since the simulation would 
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have to run some uncetermíned ezount of tíme to reach 


steady state prior to data collection. This time vas 
to be arbitrarily set and hopefully a reasonable delay 
tíme would become apparent through trial-and-error. 
But before any initialization module was designed, the 
first step taken was to translate che traffic load 
into an event generating algorithm that represented 
it. 

The event generation function was a straight 
forward implementation thanks to the detailed 
information made available on the expected traffic 
load (refer to Chapter 111, especially the sections 
entitled: Overview, Switching Method, Priority Schene, 
and Summary of the Model). The only hitch in the 
entire algorithm development process was the lack of 
random number generators in the chosen language, PASCAL. 
Books by Hillier and Sauer (HIL 73; SAU 81) eventually 
helped by providing formulas for exponential 
distributions. But the cleanest solution was the one 
finally implemented, to use CBASIC II (Compiler Systems, 
Inc., version 2.0, July 1981) to generate, initially, a 


two thousand entry file of uniformly distributed random 
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nunbers which could then be accessed by the simulation 
program whenever it required a uniformly distributed 
number. (After much trial-and-error, the best КЕСЕ 
that was achieved for a uniformly distributed pseudo- 
len number generator was every 574 times, this was 
deemed, after consultation with the thesis advisor, 
borderline acceptable. Reading from a file of uniformly 
distributed random numbers was easier to follow for 
purposes of programming and debugging.) 

Next, after developing the event generating algorithn, 
handling of the created event record via a linked-list 
queue was tackled. The queue manipulation function 
was much more difficult. Translating Figures III-4, 
IIl-5, and III-6 and Figures IV-1 and IV-2 into code 
was just the beginning. Event insertions and 
deletions, walking the queue, moving events about in 
the queue to símulate the flow of a packet around the 
network to its destination and the integration of 
calls to modules to generate new events as well as the 
insertion of code to trap required data for follow-on 
analysis was not trivial. Fortunately, the decision 


not to include flow and error control] traffic 
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simpiified the implementation. Тһе final program design 
is reflected by the structure chart in Appendix B. 

The Differences. As Figure IV-1 illustrates, 
several SLN functions discussed in Chapter III were 
not implemented in the simulation. There are six 
important differences which resulted from the 
model's simplification. The rationale for this 
simplification is discussed in detail at the beginning 
of this chapter. Briefly, the simplifications were 
required to permit analytical validation of the model 
with Jackson's Theorem. 

The first difference is the lack of external 
traffic generation at the "A" nodes. The next 
difference is the lack of dummy traffic generation. 
The third difference is the lack of an explicit 
acknovledgement function. The fourth difference is 
that packets are assumed to arrive in order and to be 
fed directly to the host when they arrive at their 
ILS Te sctnation. Next, the priority scheme is 
ignored. Finally, the sixth major difference is that 
all transmissions are assumed error free. 


The Problems. As has already been remarked, the 
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Simulation was an additional attempt to further 
validate the network model that was designed. 
Unfortunately, the simulation was never completed. 
Several problems hindered the successful execution of 
the simulation. The most critical problem was the 
language chosen for the simulation. 

Language and Machine Decisions. The SLN model 
developed over the preceding two chapters was a severely 
constrained by the chosen simulation environment. The 
simulation was to be performed on a microcomputer to see 
what could be accomplished on a small system. As far as 
could be determined, no network simulation had yet been 
performed on a microcomputer. Performing the simulation 
on a microcomputer would present constraints cn the 
simulated model due to available memory and computing 
power. The choice of language would also affect the 
implementation due to routines available and ease of 
use. A machine and a language had to be chosen. The 
process is presented belov. 

The machine desired was a microcomputer with a 
proven processor chip. Other desired characteristics 


were a large main memory and as much easily accessible 
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secondary storage as possible. Finally, the machine had 
to be available for use. Е 

Because of availability, an Intertec Data өӛгедкі 
"Superbrain" Z80A microcomputer with dual 5.25 inch 
ERT aes softesectored floppy disk drives (each with 
162K useable storage capacity) with 64K RAM was used. 
when that machine shorted out, it was replaced with a 
microcomputer of the same make, but with double-sided 
floppy disk drives. The upgrade in disk storage 
capacity was a definite asset during the development of 
the thesis because of the additional 332K of secondary 
storage. 

Because of software availability, the language 
choices were limited to some form of Basic, C, or 
Pascal. Due to the unstructured nature, non-overlay 
features, and language construct limitations of the 
Basic softwares available, Basic was not chosen. Both C 
and Pascal did not suffer these handicaps. They are 
structured languages and they both support overlays. 
After talks with some members of the faculty and using a 
timely articie in ACM Computing Surveys by Alan R. 


Feuer, Pascal was chosen since it was structured, its 
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dynamic storage for link lists was deemed highly 
appropriate for event-driven simulations, and the- 
available compiler was apparently well-documented ind 
supports overlays (critical in a RAM constrained 
a and this researcher was familiar with 
the language through courses recently completed. 

Once Pascal and the machine were chosen, the 
next phase was to see how code the model and evaluate 
the network's performance. 

The Languas?. The Pascal language supports 
both overlays and recursive calls has a good 
diagnostic package to aid in debu>ging, ís structured, 
and the author had some programming experience in the 
language. But the software did not provide any number 
generator routines and does not provide the programmer 
with a simple and direct capability for direct bit 
manipulation. In retrospect, for this restricted 
memory environment, the bit manipulating capability of 
C was a more important characteristic which should 
have led to іс being chosen instead. Besides, C also 


provided several number generator routines. But the 


restrictive memory in itself was not the problem since 
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cverlays could in part offset it by not having the 
eut program in mein memory. И 

Unfortunately, the most blatant problem during 
the deveicpment of this thesis was the language 
chosen. This problem manifested itself in primarily 
two ways. In the Zirst place, overlaye were never 
possible. In second place, the debugging package was 
not fully useable. 

Without overlays, the nunber of functions that 
couid be simulated was reduced. This caused 
considerable simplification of the model which in 
itself was not as discomfitting as the reason why 
overlays were not performed. After working with 
Pascal for a while, it became apparent that the 
documentation package was not as good as advertised 
and therefore, expected. 

The other major problem was that to use the 
debugger, the program size was drastically limited. 
That may have been solved with overlays, but as 
mentioned above, the documentation was not that easily 
or well understood. In fact, no one was found to 


provide any aid in this area. Thus, overlays were not 
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performed and the debugger was not available to help 
during the debugging phase. But even if the debugger 
had been available for use, its usefulness was 
severeiy hendicapped by the fact that it could not 
handle real numbers. This severe handicap was not 
discovered until the software development was well 
into the coding phase. А1] in all, it may be best to 
have C as the language for any follow-up work on a 
microcomputer. 

The last related problem was that when the 
simulation program was finally compiled clean, it did 


not execute as expected. This was never resolved 


prior to the thesis effort being terminated. But it was 


the development of a means to handle random numbers that 
caused the single most frustrating period during the 
generation of this thesis. 
The Random Number Generator. The development 
of the uniform random generator was more difficult 
than expected. Several sources presented good 
examples for mini and other large computers, but 
none presented one for a microcomputer. 


Finally, the theory presented by Sauer and 
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Hillier was used to program a number generator. But 
when it was tested, cycling occurred so quickly that. 
its value was questionable, though considered 
acceptable. Finally, after some study and tríal-and- 
error, the solution adopted was to generate a uniform 
number file using C-BASIC II which was then read as 
necessary by the Pascal program. This was quickly 
tested and proved a clean implementation prior to its 


inclusion in the network simulation program. 


Cenclusions. 


Application of Jackson's Theorem validated the 
designed network. Even though the results of this 
analysis are idealistic, the careful simplification 
and streamlining of the model and the judicious 
selection of arrival and service rates provide a high 
degree of confidence in the design's ability to meet 
its traffic goals. 

As for the simulation program (Appendix A), it would 
be interesting to see the model validated in this manner. 
Definitely, it would behoove whomever desired this SLN 
to have it simulated with as realistic a set of 


constraints as possible before the immense cost of 
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actualiy developing the network were made. A SLN is 
not an inexpensive system since heavy software costs 


are involved to develop protocols and interfaces which 


are not in existance today. 
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Chapter V: Conclusions and Recommendations 


Overview. : 
As shown in the preceding chapter, the sinplified 
version of the designed model should be able to handie 
the projected work load. Based on that analysis, it is 
expected that the more complex model (summarized in 
the last section of Chapter III) would also meet the 
work load requirements. In any case, the model was 
designed to: 1) effectively process bulk data traffic, 
2) provide a high level of security, and 3) permit 
multiple concurrent transmissions of different 


classifications. In this last chapter, areas for 


further study are presented and some conclusions are 


Zn u nn < ee ee ew IM 


drawn from the experience of completing this thesis. 


Areas for Further Study. 


There are at least five areas left for further 
study. The five areas discussed below were not fully 
developed within the scope of this thesis, but they all 
deserve additional research and examination. 

In the first place, an attempt to generalize the 


network model for applications more interactive/bursty 
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ín nature could result ín different design elements. 
Thie researcher believes that the major differences 
between the design of this SLN and one with more ste 
eraffic would be in the area of topology (a web might be 
adi appropriate) and network access control (possibly 
contentíon ínstead of shíft register insertion). 

But, within the framevork of this design and ESC's 
specific constraints, the addition of dummy traffic, of 
new arrivals from the "A" nodes, of flow control 
traffic, of error/reliability traffic (retransmissions), 
and of priority traffic to a simulation for the purpose 
e of examiniag throughput would be of major interest. Of 
course, this would entail successfully developing the 
simulation attempted for this thesis work. In any case, 
the traffic that is potentially the most damaging to 
throughput is AR load. It could cause 
unacceptable delays which would require the re- 
examination by higher authorities of its need for 
security. 

A third area would be research into the 


interoperability and interface issues of a SLN and other 


secure and/or non-secure networks. An analysis of 


» ^ 
MX 
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TCP/IP and the projected national level long haul 
communications networks like the Defense Data Network 
would be within the scope of such work. 

Another area that deserves more study is that of 
fault tolerance and fault limitation/isolation in both 
physical (hardware) design and in the design of 
protocols. But probably the most intriguing are2z would 
be in the fifth area, the expansion of the security 
aspects of this thesis. 

The encryption of this model revolves about the 
secure/trusted generation and distribution of keys and 
с? their management. This area has been addressed by 
many without, to this researcher's knowledge as of 
Nee 1983, an accepted way of doing so. (Accepted by 
this country's national level security agencies.) Any 


follow-on work in this area could bring great dívidends 


to this nation's security. 


Conclusions. 
The interplay of topology, network access, 
switching method, and flow and error control protocols 


was challenging, extremely enlightening, and definitely 
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interesting. The addition of security constraints 

does cloud the issue of performance, but flexible 
designs with inherently good performance 

characteritics seem to te best suited for security, 

ies The design process is definitely influenced by 
security issues, especially those which deal with the 
need to limit the electromagnetic emanations of the 
hardware and the need to guard against traffic analysis. 
But, the key to achieving security seems to exist 
primarily within the realm of software access controls 
implemented in the network's protocol structure (even if 


these protocols are implemented through micro-code). 
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Appendix A: Program Listing 


Pascal /MT+ Release 5.5 

Copyright (c) 1981 MT MicroSYSTEM, Inc. 
Compilation of: B:WORKG 

Stet Nest 


N - 


але зата 6522 5.7 ~“ ~“ с За зе" • 9. 
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Source Statement 


(SK1) 

($K2) 

(SK4) 

(5K7) 

(SK13) 

(SK14) 

(5К15) 

PROGRAM SLN_SIM (INPUT, OUTPUT): 

CONFIG_CONTROL = “04 JULY 1982: VERSION 2G* ) 
IMPLEMENTATION OF A } 

SECURE LOCAL AREA NETWORK (A SLN) } 

THIS SIMULATION MODEL WAS DEVELOPFD TO MEET } 

THESIS REQUIREMFNTS FOR THE GCS PROGRAM AT } 

THE AIR FORCE INSTITUTE OP TECHNOLOGY } 

ELECTRICAL ENGINEERING DEPT (AFIT/EN) } 

THIS PROGRAM WAS USED TO VERIFY THE RESULTS } 

DERIVED USING JACKSON*S THEOREM IN THE THESIS} 


PR PRR AR PR RN ON ON 


{AUTHOR: RICARDO G. CUADRCS, CAPT USAF 
{ADVISOR: WALTER р. SEWARD, MAJOR USAF, PhD 

( PROGRAM DATES: 12 FEB 1982 ~ 24 JULY 1983 
{ ENVIRONMENT: 

{ INTERTEC DATA SYSTEMS SUPERBRAIN QD 
( CP/M 2.2 OPERATING SYSTEM 

( DIGITAL RESEARCH PASCAL MT+ VER 5.5 
( GENERAL DESCRIPTION: 

( GENERATE AN EVENT QUEUE SORTED BY TIME 
( AND INCLUDING NODE AND CLASSIFICATION DATA 
( PROCESS THE EVENT QUEUE TO SIMULATE 
( TRAFFIC FLOW 

{ COLLECT TRAFFIC DATA 

{ TRAFFIC FLOW: COUNTER-CLOCKWISE 

{ 

{ 

{ 

{ 


u WINNIE II о 


} 
у <- 3-2 - 1 -< 7 } 
-> 4-5-6-7-> } 
NODES 1, 2, 3 ARE COMMUNICATION NODES } 
NODES 4, 5, 6, 7 ARE APPLICATION NODES ) 


LIST OF PROCEDURES AND FUNCTIONS ғ) 
PROCEDURE INITIAL; 01 } 
( PURPOSE: TO INITIALIZE VARIABLES,  ) 
) 
) 
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{ ASSIGN FILES, AND TO CONTROL FIRST 
( THREE EVENTS 
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Source Statement 


{ PROCZDURE GENEVENT (SRC NODE: INTEGER): 02 ) 


( PURPOSE: GIVEN THE NODE, CREATE THE ) 


( NEXT EVENT ) 
( ) 
PROCEDURE COMMNODE; 03 ) 
( PURPOSE: CONTROLS COMM NODE INFO FOR GENEVENT) 
( ) 
( ) 
PROCEDURE COMMNODE; 03 ) 
( PURPOSE: GIVEN TH TIME, INSERTS AN LVENT IN ) 
( THE PROPER PLACE OF THE EVENT QUEUE ) 
( ) 
PROCEDURE DELEVENT: 05 
( PURPOSE: DELETES AN EVENT FROM THE IIEAD OF 
( THE EVENT QUEUE 
( 
PROCEDURE MOVEVENT; 06 ) 
( PURPOSE: MOVES EVENTS ABOUT THE MODELED НЕТ; } 
( HAS ALGORITHMS FOR COUNTERCLOCKWISE ) 
( TRAFFIC FLOW; AND SERVES AS TRAFFIC ) 
( CONTROLLER ) 
{ ) 
PROCEDURE QWALK; 07 ) 
( PURPOSE: TO HELP COLLECT QUEUE INFO FOR RUN ) 
( ) 
PROCEDURE WRAPUP; 02 ) 
( PURPOSE: RUN TERMINATION CONTROL FOR A NORMAL) 
( CLOSE OP FILES AFTER RUN ) 
( ) 
PROCEDURE UFILREAD; 09 ) 
( PURPOSE: TO READ FROM THE UNIFORM NUMBER FILE) 
( ) 
tsau ION SRC : REAL; 10 } 
( PURPOSE: TO PROVIDE ARRIVAL TIME INFORMATION ) 
( ) 
FUNCTION SVC : REAL; 11 ) 
( PURPOSE: TO PROVIDE SERVICE TIME INFORMATION ) 
( ) 
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Source Stateme 


r 


en EEE AO тучни O E a viera 


е 
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nt 


CONST ( GLOBAL CONSTANTS ) 


CONFIG CONTROL 
ARRIVAL_PATE= 
ЗЕВУТСЕ РАТЕ= 
СОМРЬЕТЕ 
PARTIAL 
ЂЕ 
LEN2 
LEN3 
LENA 
LENS 
LEN6 
LEN? 
LEN8 
LEN9 
LENO 
EOF_UNIF 
FIXED PROCESS ' 


TYPE EVENTPTR 
EVNTREC 

E TIME 
AT NODE 
TO NODZ 
EX NODE 
CLASS 
C OR P 
E NEXT 
END; 


е өс өФФ өф 90 90 оо 


VAR DFILE 
UFILE 


= °04 JULY 1983: VERSION 2G”; 
0.001; ( IN MSG PER MILLISEC FOR ) 
0.003; ( ARRIVAL AND SERVICE RATES ) 
FG ( ALL PKTS FOR THIS MSG RCVD) 
p { NOT COMPLETE } 
0.500; {LEN# : } 
0.750; { GIVES PROBABILITY MSG } 
0.875; ( IS «- £PKTS LONG ) 
0.9375; ( (0 REPRESENTS 10 PKTS) ) 
0.96875; ( THESE VALUES CHOSEN ) 
0.984375; ( TO MEET REQUIREMENT ) 
0.9921875; ( THAT MSG BE LEN 1 502 ) 
0.99609375; { OF THE TIME. 
0.9990234375; 

1.0000000000; 

999.999; {EOF OF UNIFORM_DAT FILE) 
TIME = 0.015; 


а “ЕУКТЕЕС; 

= RECORD 

REAL; {EVENT TIME; SORT KEY } 
INTEGER; {CURRENT POS: 10-30, 1-7) 
INTEGER; (INBOUND DEST NODE 4-7) 
INTEGER; (OUTBOUND NODAL SINK 1-3) 
INTEGER; (CLASS: 1 OR 2 ) 

CHAR; (COMPLETE (C) OR PARTIAL (P)) 
EVENTPTR; ( HEXT EVENT ) 


: TEXT; 
: TEXT; 


{ WORK ELEMENTS FOR MSGS ) 
WRK E TIME : REAL; 


WRK AT NODE : INTEGER; 
WRK TO NODE : INTEGER; 
WRK EX NODE : INTEGER; 
WRK CLASS : INTEGER; 
МАК СОК Р : CHAR; 
WRK_ ЕН _NEXT : ЕУЕМІРІК; 
( POINTERS ) 

ATPTR, END PTR : EVENTPTR; 
HDPTR, TEMP PTR: EVENTPTR; 
( TIMES ) 

ELAPS TM : REAL; 
START TIME : REAL; 
STOP TIME  : REAL; 
TIME HOW : REAL; 
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Source Statement 
( COUNTERS: INDEX CORRESPONDS TO 'RELATIVE' NODE ) 


СІ.А551 СМТ : REAL; 

CLASS2 CNT : REAL; 
C_STRTSTP : ARRAY (1..7] OP REAL; 
HI VALUES : ARRAY (1..7)] OF REAL; 
MAX-IN BUFFER : ARRAY [1..7) OF REAL; 
MSGS : ARRAY (1l..7] OP REAL; 
PCKTS : ARRAY [1..7) OF REAL; 
P STRTSTP : ARRAY [1..7) OF REAL; 
SMSGS : ARRAY [l..7) OF REAL; 
SPCKTS : ARRAY (1..7] OF REAL; 
[ MISC VARIABLES > 

ERROR LEVEL : INTEGER; 

EVENT Q LEN : INTEGER; 

IO STATUS : INTEGER; 

LCNT : INTEGER; 

MAX PCKTS : INTEGER; 

MODULE NAME : ARRAY (1..12] OF CHAR; 
PCKT_NUM : INTEGER; 

PCKTS IN HSG: INTEGER; 

RDT : ARRAY (1..20) OF CHAR; 
SRC_NODE : INTEGER; 

TEMP VAL : INTEGER; 

U_VALUE : REAL; 


( * * * PROCEDURES AND FUNCTIONS * * * * * ) 
PROCEDURE INITIAL; 
VAR LCNT : INTEGER; 

BEGIN 


MODULE NAME :* “INITIAL Gus 
WRITELN(’ ENTER REMARKS FOR TRIS RUN = 20 CHAP’); 
LCNT := 1; 
WHILE LCNT <= 19 DO BEGIN 

МКІТЕ(” 7); 

LCNT :=LCNT + 1 

END; ( END WHILE >) 
WRITELN(^**); 
FOR LCNT :* 1 TO 20 DO BEGIN 

READ (RDT [LCNT]) 
END; 
READLN; 
WRITELN(^ENTER MAX NUM OF PCKTS PER MSG - INT’): 
READLN(MAX PCKTS); 
IF MAX PCKTS » 10 THEN MAX FCKTS := 10; 
WRITELN(’ENTER TIME TO STOP RUN = REAL = SEC’); 
READLN(STOP TIME); 
WRITELN('ENTER DATA COLLECT START TIME 
- REAL - SEC’); 

READLN(START TIME); 
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Source Statement 


Se .-.- © . = е 


- 2 ,мт е + а а. э а ә езе е 


FOR LCNT := | ТО 7 DO BEGIN (*%0” OUT COUNTERS) 


PCKTS [LCHT) 

HI VALUES [LCNT] 

MSGS [LCNT] 

MAX IN DUFFER[LCRHT) 

SMSGS [LCNT] 

SPCKTS [LCNT] 

C STRTSTP[LCNT] 

P STRTSTP[LCNT] 
END; 
EVENT Q LEN := 0; 
ERROR LEVEL := 0; 
CLASS] CNT :* 9.0; 
CLASS2_ CNT := 0.0; 
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{STATUS ОК; *9* MARKS PROBLEM ) 


{ INITIALIZE QUEUE AND QUEUE POINTERS >) 


NEW(HDPTR); 
WITH HDPTR^ DO BEGIN 


E TIME se 0.0; 
AT_NODE := 0; 
ТО НОЕ := 0; 
EX NODE := 0; 
CLASS := 0; 
C OR P := 707; 
E NEXT := NIL 
END; 


ATPTR := HDPTR; 
END_PTR := HDPTR; 
TEMP PTR := HDPTR; 
WRK E TIME := 0.0; 


WRK AT NODE := 0; 
WRK_TO NODE := 0; 
WRK_EX NODE := 0; 
WRK CLASS := 0; 
WRK C OR P := 707; 
WRK E NEXT :* NIL; 


ASSIGN(DFILE,'A:RUNDATA.OUT^); 


REWRITE(DFILE); 


ASSIGN(UFILE, ”A:UNIFORM.DAT’); 


RESET(UFILE); 


WRITELN(DFILE,CONFIG CONTROL, REMARKS = *,RDT); 
WNRITELN(DFILE, “START “,START_TIME,” ¿STOP "7, 


STOP TIME); 


WRITELN(DFILE,^ ARRIVAL ^,ARRIVAL RATE, 
sSERVICE °,SERVICE RATE); 

WRITELN(DFILE,^ MAX PKTS ”,МАХ РСКТ5); 

,ERROR LEVEL); 

{ GENERATE 1ST 3 ARRIVALS - 1/C NODE ) 

WRITELN(’ GENERATING THE FIRST THREE EVENTS 7); 


WRITELN(DFILE, “INITIAL 


TIME NOW := 0.0; 
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Source Statement 
FOR LCNT :e 1 TO 3 DG BEGIN 
GENEVENT (LCHT) 
END; { NOW SET TIME TO 1ST ARRIVAL ) 
TIME NOW :~ HDPTR”.E TIME 
END; 


PROCEDURE GENEVENT(VAR SRC_NODE: INTEGER); 
VAR GLCNT: INTEGER; 
BEGIN { ALGO IMPLEMENTS FIG. II-5 & 6 OF TBESIS ) 
KODULE NAME := "GENEVENT =: 
WRITELW('IN *,MODULE NAME,"FOR SRC NODEe * 
SRC КОРЕ); | 
WRITELN(DFILE,MODULE_ NAME, ERROR LEVEL,” *, 
SRC NODE); 
TEMP VAL :* SRC NODE; 
IF SRC NODE « 10 THEN SRC NODE :* SRC NODE * 10 
ELSE ERROR LEVEL :* 9; 
IF ERROR LEVEL «» 9 
THEN BEGIN 
UFILREAD; 
VRK AT NODE :« SRC NODE; 
IF SRC NODE « 40 THEN WRK EX NODE :«* TEMP VAL; 
IF SRC NODE « 40 THEN COMMNODE 
ELSE ( SRC NODE » 30 ) 
WRK_E TIME := TIME NOW + SVC; 
{ RESPONSE AT APPL } 
UFILREAD; 
IF U-VALUE <= LEN9 THEN PCKTS IN MSG:=9; 
IF U-VALUE <= LEN8 THEN PCKTS IN MSG:=8; 
IF U-VALUE <= LEN? THEN PCKTS IN MSG:=7; 
IF U-VALUE <= LEN6 THEN PCKTS IN MSG:=6; 
IF U-VALUE <= LEN5 THEN PCKTS IN MSG:#5; 
IF U-VALUE <= LEN4 THEN PCKTS IN MSG:=4; 
ТЕ U-VALUE <= LEN3 TREN PCKTS IN MSG:=3; 
IF U-VALUE <= LEN2 THEN PCKTS IN MSG: #2; 
IF U-VALUE <= LEN] THEN PCKTS IN MSG:#1 
ELSE PCKTS_IN_MSG := 10; 
IF PCKTS IN MSG » MAX PCKTS THEN 
PCKTS IN MSG :« MAX PCKTS; 
МВК C OR P :« PARTIAL; 
FOR GLCNT :« 1 TO PCKTS IN MSG DO BEGIN 
IF GLCNT = PCKTS IN-MSG 
THEN WRK_C_OR P := COMPLETE; 
INSRT(WRK_E TIME) 
END ( FOR ) 
END; ( IF ERROR_LEEL <> 9 ) 
WRITELIN(^BYE ',MODULE NAME); 
SRC NODE :* TEMP VL 
( SETS SRC NODE TO ORIGINAL CALLING PARAM ) 
END; (GENEVENT) 
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Source Staterent 
PROCEDURE COMMNODE ; 
BEGIN 
MODULE NAME := °COMMNODE Er г 
WRITELN(DFILE,MODULE NAME,ERROR LEVEL,” °, 
SRC_NODZ); 
WRK E TIME := TIME ROW + ERC; 
WRK | CLASS :- 1: 
ТЕ (ERC NODE «» 20) AND (U VALUE « 0.50) 
THEN ЧАК CLASS :- 2; 
ІР WRK CLASS = 1 THEN BEGIN 
WRK_TO_NODE :2 4; 
CLASS] CNT :9 CLASS1_CNT + 1.0 
END; 
IF WRK CLASS = 2 
THEN BEGIN 
CLASS2 CNT := CLASS2 CNT + 1.0; 
WRK_TO_NODE := 7 
ЕКО; 
IF ((WRK CLASS * 2) ÀND (U VALUE < 0.66666667) ) 
THEN WRK TO NODE :* 6; 
IF ((WRK CLASS » 2) АКО (0 VALUE « 0.33333333)) 
THEN WRK TO NODE :* 5 
END; { COMM NCDE ) 


PROCEDURE INSRT (VAR TTIME; REAL); 
BEGIN ( LINK-LIST IN ASC ORDER BY E TIME ) 
MODULE NAME :«- “INSRT E: 
WRITELN(DZILE, MODULE NAME,ERROR LEVEL, * ” „ТТТУЕ): 
WRITELN(MODULE_NAME, ERROR _LEVEL, * * TTIME); 
EVENT_Q LEN := EVENT_Q LEN + 1; 
WITH HDPTR^ DO BEGIN 
( KEEP TRACK OF MAX PCKTS IN BUFFER ) 
IF ((AT NODE » 0) AND (AT NODE « 10)) THEN 
BEGIN 
HI VALUES[AT NODE] :* HI VALUES[AT NODE] + 1.0; 
IF HI VALUES[AT NODE] « MAX IN BUFFER[AT NODE] 
THEN 
MAX IN BUFFER(AT NODE; :* HI VALUES[AT NODE] 
END 
END; { WITH ) 
IF (ADPTR”.E TIME = 0.0) THEN 
BEGIN { LIST EMPTY ) 
WITH HDPTR^ DO BEGIN 
Е TIME :- WRK E TIME; 
AT NODE += WRK AT NODE; 
TO NODE om WRK ' TO | NODE; 
EX NODE := WRK EX NODE; 
CLASS sm WRK | CLASS; 
C_OR P ¿2 WRK_C_OR_P; 
E NEXT <= КТІ, 
END 
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Source Statement 
END 
ELSZ 
IF TTIME « EDPTR^.E TIME THEN 
BEGIN ( IHSERT AT HEAD OF LIST ) 
HEW(TEHP PTR); 
WITH TEHP PTR^ DO BEGIN 
E TIME :® WRK E TIME; 
AT RODE $9. WRX AT NODE; 
TO NODE іе МЕК TO NODE; 
EX NODE 15 МНЕ ЕХ NODE; 
CLASS ¿= WRK_CLASS; 
C OR P е УКК C OR Pj 
Б НЕХТ іы EDPTR 
END; 
НОРТК := ТЕМР РТК 
END 
ELSE BEGIN { INSERT AFTER START OF THE LIST ) 
ATPTR := HDPTR; 
WHILE TTIHE >= ATPTR”.E_NEXT”.E_TIME DO 
ATPTR :e ATPTR^.E NEXT; ( END WHILE ) 
NEW(TEMP PTR); 
WITH TEMP PTR^ DO BEGIN 
E TIME z~ WRK_E TIME; 
AT_NODE se WRK_AT_NODE; 
TO RODE је WRK TO NODE; 
EX NODE је ЧЕК EX NODE; 


CLASS se WRK CLASS; 

C OR P ¿e УКК C OR P; 

E NEXT :"  ATPTR^.E NEXT 
END; 


IF TTIME >= END PTR*.E TIME 
THEN END PTR := TEMP PTR; 
ATPTR~.E NEXT := TEMP PTR 
END 
END; (INSRT) 


PROCEDURE DELEVENT; 
BEGIN 
{SHOULD ONLY BE DELETING FROM THE HEAD OF THE LIST) 
MODULE NAME :e ^DELEVENT '; 
WRITELN(DFILE,MODULE NAME, ERROR LEVEL); 
IF ((HDPTR^.AT NODE » 0) AND (HDPTR^.AT NODE « 10)) 
THEN HI VALUES[HDPTR^.AT NODE) - 1.0; 
IF HDPTR^.E NEXT e NIL THEN BEGIN 
HDPTR^.AT NODE := 0; 
HDPTR^.AT TIME :« 0.0 
END 
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Source Statement 
ELSE BEGIN 
АТРТА := HDPTR^.E NEXT; 
DISPOSE(HDPTR); 
HDPTR :- ATPTR 
END; 
EVENT Q LZN :e EVENT Q LEN - 1 
ERD; {DELEVENT) 


PROCEDURE MOVEVENT; 
VAR LCHT : INTEGER; 
BEGIN 
( CHECK FOR ARRIVAL AT COMM TO GENERATE NEW ONE ) 
MODULE NAME := “MOVEMENT 2% 
WRITELN(DFILE,MODULE_ NAME,ERROR_ LEVEL,’ "7, 
HDPTR^.AT NODE); 
WRITELN(MODULE NAME,ERROR LEVEL,* °, 
HDPTR^.AT NODE); 
LCNT := 0; 
CASE HDPTR”.AT_NODZ OF 
LCRT := l; 
LCNT := 2; 
LCNT := 3 


мэ 
о 
во oo oo 


END; 
WRITELN(MODULE NAME,ERROR LEVEL, °,LCNT); 
IF LCNT <> 0 THEN GENEVENT (LCNT) ; 


IF ((TIMZ NOW « STOP TIME) AND 
(TIME NOW »- START TIME)) 
THEN BEGIN 
TEMP VAL :*- HDPTR^.AT NODE; 
IF TEMP VAL >= 10 
THEN BEGIN 
TEMP VAL := (TEMP_VAL DIV 10); 
PCKTS (TEM VAL) := PCKTS(TEM_VAL] + 1.0; 
IF (HDPTR^.C OR P = COMPLETE) THIN 
MSGS[TEM VAL] :9 MSGS(TEM VAL) + 1.0 
END 
END; 


WITH HDPTR^ DO BEGIN 
( MOVE TO NEXT NODE ) 
ТР ((АТ МОШЕ = 7) ОК (АТ НОГЕ = 70)) 
THEN AT_NODE := 1 
ELSE 
IF ((AT_NODE > 0) AND (AT_NODE < 7 )) 
THEN AT_NODE := AT_NODE + 1; 
IF (AT_NODE > 9) AND (AT_NODE < 70 )) 
THEN AT_NODE := ((AT_NODE + 10) DIV 10) 
END; ( WITH ) 
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Source Statement 


Те НОРТЕ“ ,АТ_ БОРЕ «» HDPTR^.TO NODE 
THEN ( THAT ENTRY AND CREATE A NEW ONE ) 


BEGIN 
WRK E TIME 


WRK AT NODE 
WRK TO NODE 
МАК ЕХ КОрЕ 
WRK CLASS 

WRK C OR P 


INSRT(WRK E TIME) 


END ( «» ) 
ELSE 


:e HDPTR^.E TIME + 
PIXED PROCESS TIME; 

= ПОРТР^.АТ КОЕ; 

= EDPTR^.TO NODE; 

=  HDPTR^.EX RODE; 

= EDPTR~.CLASS; 

E 


ФФ .. 9 oo 00 


HDPTR^.C OR P; 


IF BDPTR^.AT NODE « HDPTR^.TO NODE 
THEN { ARRIVED TO APPLICATION SINK } 


BEGIN 


IF HDPTR~.C_OR_P = COMPLETE THEN 


BEGIR 


WRK_E TIME іы  HDPTR^.E TIME; 
WRK AT NODE := HDPTR^.AT NODE; 
WRK TO HODE .:« HDPTR^.EX NODE; 
МАК EX HODE := HDPTR^.EX HODE; 
WRK CLASS s= HDPTR”.CLASS; 


GENEVENT 


(WRK AT NODE) 


END ( COMPLETE ) 
END; ( = APPLICATION NODE ARRIVAL ) 


IP ((TIME NOW « STOP TIME) AND 
(TIME NOW >= START TIME)) 


THEN BEGIN 


IF ((HDPTR^.AT NODE = HDPTR~.EX NODE) OR 
(HDPTR*.AT NODE = HDPTR”.TO_NODE)) 


THEN BEGIN 


SPCKTS[HDPTR^.AT NODE) :« 

SPCKTS (HDPTR~.AT NODE) + 1.0; 

IF HDPTR~.C_OR_P = COMPLETE THEN 
SMSGS(HDPTR~.AT_NODE) := 
SMSGS(EDPTR~.AT NODE) + 1.0 


END 
END; 


IP ((HDPTR^.AT NODE 
((HDPTR^.AT NODE 
((HDPTR^.AT NODE 
ТКЕН DELEVENT 

ELSE ERROR LEVEL :* 


= HDPTR”.EX NODE) OR 
= HDPTR~.TO NODE) OR 
<> HDPTR~.TO_NODE) ) 


9; 


TIME NOW :* HDPTR^.E TIME 


END; ( MOVEVENT) 
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Source Statement 
PROCEDURE QWALK; 
VAR LCNT : INTEGER; 
BEGIN 
MODULE NAME := “QWALK us 
WRITELN (MODULE NAME, ERROR 
WRITELN(DFILE,MODULE_RAME, ERROR_LEVEL); 
ATPTR := EDPTR; 
LCST := 0; 
WHILE ATPTR^.E NEXT <> NIL DO 
BEGIN 
LCNT := LCNT + 1; 
WITH ATPTR” DO; 
BEGIN 
IF ((AT_NODE » O ) AND (AT NODE « 10)) THEN 
IF (C OR P « COM LETE) THEN 
C STRTSTP(AT NODE] :- 
C STRTPSTP[AT NODE) + 1.0 
ELSE P STRTPSTP[AT_RODE) :* 
Р ЅТЕТРЅТР (АТ КОрЕ] + 1.0 
END { WITH ) 
END; { WHILE <> NIL ) 
WRITELN(DFILE,'LCNT e *,LCNT," Q LEN = °, 
EVENT Q LEN); 
FOR LCNT := 1 TO 7 DO BEGIN 
HI VALUES[LCNT) :* P-STRTSTP[LCNT]; 
MAX IN BUFFER(LCNT]) : HI VALUES (LCNT] 
END ( FOR ) 
END; ( QWALK ) 


PROCEDURE WRAPUP; 
VAR LCNT : INTEGER; 
BEGIN 
{ WRITE OUT TO DFILE THE SIM DATA DESIRED } 
QWALK; 
ELAPS TM := TIME_NOW - START_TIME; 
WRITELN(DFILE,'ERROR LEVEL = *,ERROR LEVEL); 
WRITELN(DFILE,'DATA COLLECTED FOR ',ELAPS TM, 
SEC; TIME NOW = °,TIME NOW); 
FOR LCNT := 1 TO 7 DO BEGIN 
WRITELN('IN WRAPUP AT NODE f ',LCNT); 
WRITELN(DFILE,'AT NODE # °,LCNT); 
WRITELN(DFILE,^STOP STATUS: MSGS = ’, 
C STRTSTP [LCNT]); 
WRITELN(DFILE, ' РСКТ$ = °, 
P_STRTSTP[LCNT)); 
WRITELN(DFILE,’MSGS GENERATED «e ^,MSGS[LCNT] ; 
WRITELN(DFILE, “PCKTS GENERATED = ^,PCKTS[LCNT] ; 
WRITELN(DFILE, “BUFFER USED =”, 
MAX_IN BUFFER[LCNT]) 
END; 
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4442 Stunt Nest Source Statement 


pt 511 2 WRITELN(DFILE,'EVENT QUEUE LEN AT STOP TIME - ', 
EVENT Q LEN); 
512 2 CLOSE (UFILE,IO STATUS); 
513 2 ІР 10 STATUS = 255 


THEN WRITELN(^ERROR IN UFILE CLOSURE”) 


514 2 ELSE WRITELN(“UPILE CLOSED”); 
515 2 CLOSE (DFILE,IO STATUS); 
516 2 IF IO STATUS = 255 
THEN W2ITELN(“ERRCR IN DPILE CLOSURE’ ) 
517 2 ELSE WRITELN(’DFILE CLOSED’) 
518 2 END; {WRAPUP) 
519 1 
520 2 PROCEDURE UFILREAD; 
521 1 BEGIN 
522 2 MODULE NAME :« 'UFILREAD pr 
523 2 WRITELN('* * *ENTERING °, MODULE NAME); 
524 2 READ(UFILE,U VALUE); 
525 2 IF U VALUE « EOF UNIF THEN BEGIN 
526 3 RESET (UFILE); 
527 3 READ(UFILE,U VALUE) 
528 3 END; ( IF ) 
529 2 WRITEUN('* R k A EXITING * ,MODULE NAME); 
530 2 WRITELN(DFILE,MODULE NAME,ERROR LEVEL, 
^ U VALUE :« ^,U VALUE) 
: 531 2 END; 

57 532 1 
533 1 FUNCTION SRC : REAL; 
534 1 VAR INT RESULT: REAL; ( SRC/COMM NODE ARRIVALS ) 
535 2 BEGIN ( RETS VALUE FROM EXPONENTIAL DIST. ) 
536 2  UFILREAD; 
537 2 INT RESULT :* -((ARRIVAL RATE)*(LN(1.0 - U VALUE))); 
538 2 IF INT RESULT «e 0.0 THEN BEGIN 
539 3 WRITELN(^****ERROR IN SOURCE ****); 
540 3 ERROR LEVEL :« 9 
541 3 END 
542 3 WRITELN(DFILE,^SRC READ ^», ANT, RESULT," ^ ,Ei-.9R LEVEL) 
544 2 END; { END OF SRC } 
545 1 
546 1 FUNCTION SVC : REAL; 
547 1 VAR INT_RESULT: REAL; { SERVICE RATE W/SKEW-TIME) 
548 2 BEGIN 4 RETS VALUE FROM EXPONENTIAL DIST. ) 
549 2  UFILREAD; 
550 2 INT RESULT := -((SERVICE RATE)*(LN(1.0 - U VALUE))); 
551 2 IF INT RESULT «e 0.0 THEN BEGIN 
552 3 WRITELN(^*** ERROR IN SERVICE ***^'); 
553 3 ERROR LEVEL :« 9 
554 3 END 
555 3 ELSE SVC :- INT RESULT 4 PIXED PROCESS TIME; 
556 2 WRITELN(DFILE,^SVC READ ° INT, RESULT, * ^,ERROR LEVEL) 
557 2 END; 4 END OF SVC > 
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E Stat Mest Source Statement 


558 1 
559 1 ( & Bo oh kh o * hok я я kh kh k k k k hh R k X* k ) 
560 1 BEIN{M AIN-DRIVER) 
561 1 INITIAL; 
562 ]  WRITELN('ERROR LEVEL :« ^,ERROR LEVEL, 

^ APTER INITIAL”); 
563 1  WRITELN(DFILE,^ERROR LEVEL :- ^,ERROR LEVEL, 

^ AFTER INITIAL”); 
$54 1 WRITZLH(^* k A A  áfh &À ей ваза MAINI’); 
565 1 IF ERROR LEVEL = 9 TREN TIME NOW := 9.60E+15; 
566 1 
567 1 WHILE (TIME NOW « START TIME) DO 
568 1 WHILE (TIME NOW « HDPTR^.E TIME) DO 
569 1 BEGIN 
570 2 HOVEVENT; 
571 2 IF ERROR LEVEL 9 THEN TIME NOW := 9.60Е+15 
572 2 END; ( TIME NOW « HDPTR^.E-TIME ) 
573 1 {О РКО WHILE TIME NOW « START TIME ) 
574 1 
575 1 WRITELN(’ IN MAIN AFTER SET-UP; ERROR LEVEL = ^ 

,ERROR LEVEL); 
576 1  WRITELN(DFILE,^IN MAIN APTER SET-UP;ERROR LEVEL » ^, 
ERROR LEVEL); 
577 1 WRITELN RR KR AR A * * * hk 5 MAIN2’); 
ли 578 1 
" 579 1 ІР ТІНЕ NOW «» 9.60E«*15 THEN BEGIN 
580 2. QWALK; 
581 2  WRITELN(DFILE,^START TIME STATUS: ^); 
582 2 FOR LCNT := 1 TO 7 DO BEGIN 
583 3 WRITELN(DPILE,’AT NODE f£ ^,LCNT); 
584 3 WRITELN(DFILE,^ MSGS: ^,C-STRTSTP[LCNT], 
* PCKTS: ^,P STRTSTP (LCNT] ) 
585 3 END ( FOR LOO? ) 
586 3 END; ( TIHE NOM «» 9.602415 } 
587 1 
588 1  WRITELN(^IN MAIN READY TO START UP ^,ERROR LEVEL); 
589 1  WRITELN(DFILE,^IN MAIN READY TO START UP ^, 
ERROR LEVEL); 
590 1 WRITELN(^* * * * X k * * k * * * k * * MAIN3*); 
591 1 
592 1 WHILE (TIME NOW « STOP TIME) DO 
593 1 WHILE (TIME NOW « HDPTR^.E TIME) DO MOVEVENT; 
594 1 X END WHILE TIME NOW « STOP TIME ) 
595 1 
596 1  WRAPUP; 
597 1  WRITELN(^ DORE ^) 
598 | END.  ( END OF THE PROGRAM ) 
598 0 ------------------------- => 
598 O Normal End of Input Reached 
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T Appendix C: Data Dictionary 


TRAFFIC FLOW:  COUNTER-CLOCKWISE 
V«-3-2-1--«^ 
->4-5-6-7->| 
RODES 1, 2, 3 ARE COMMUNICATION NODES 
NODES 4, 5, 6, 7 ARE APPLICATION NODES 


PROCEDURES AND FUNCTIONS  — f.f 
le PROCEDURE INITIAL: 1.1 
PURPOSE: TO INITIALIZE VARIABLES, ASSIGN 
FILES, AND TO CONTROL 1ST 3 EVENTS 


2. PROCEDURE GENEVENT(SRC RODE: INTEGER); 2.1 
PURPOSE: GIVEN THE NODE, CREATE THE NEXT EVENT 

3. PROCEDURE COHMNODE: 3.3 
PURPOSE: CONTROLS COMM NODE INFO FOR GENEVENT 

4. PROCEDURE INSRT((TIMZ: REAL); 3.4 


PURPOSE: GIVEN TH TIME, INSERTS AN EVENT IN 
TE PROPER PLACE OF THE EVENT QUEUE 
5. — PROCEDURE DELEVENT: 5.5 
PURPOSE: DELETES AN EVENT FROM THE HEAD OF 
THE EVENT QUEUE 


6. PROCEDURE MOVEVENT: 1.2 
" PURPOSE: MOVES EVENTS ABOUT THE MODELLED NET; 
(2 HAS ALGORITHMS FOR COUNTERCLOCKWISE 
TRAFFIC FLOW; AND SERVES AS TRAFFIC 
CONTROLLER 
7. PROCEDURE QWALK: 2.2 
PURPOSE: TO HELP COLLECT QUEUE INFO FOR RUN 
8. PROCEDURE WRAPUP; 1.3 


PURPOSE: RUN TERMINATION CONTROL FOR A NORMAL 
CLOSE OF FILES AFTER RUN 


9. PROCEDURE UFILREAD; 4.1 
PURPOSE: TO READ FROM THE UNIFORM NUMBER FILE 
10. FUNCTION SRC : REAL; 3.1 
PURPOSE: TO PROVIDE ARRIVAL TIME INFORMATION 
11. FUNCTION SVC : REAL; 3.2 
PURPOSE: TO PROVIDE SERVICE TIME INFORMATION 
CONSTANT 
GLOBAL 
ARRIVAL RATEs 0.0001; ( IN MSG PER MILLISEC FOR ) 
COMPLETE = °С” ( ALL PKTS FOR THIS MSG RCVD ) 


CONFIG CONTROL = LITERAL ALTERED BY MANUALLY TO TRACK 
PROGRAM VERSION 

ЕОР ОМІР « 999.999; ( EOF OF UNIFORM DAT FILE — ) 

FIXED PROCESS TIME = 0.015; 


+“ e 


e 








ES 


AM 
` e ~ 


LENI 
LEN2 
LEN3 
LEN4 
LENS 
LEN6 
LEN? 
LEN8 
LEN9 
LENO 


PARTIAL 


0.500; 
0.750; 
0.875; 


0.96875; 
0.984375; 
0.9921875; { 
0.99609375; 
0.2990234375; 
1.0000000000; 
{ NOT COMPLETE } 
( ARRIVAL AND SERVICE RATES ) 


SP 


SERVICE RATE = 0.003; 


( 
( 
( 
0.9375; { 
( 
( 


TYPE EVENTPTR = ^EVNTREC; 


EVENTREC = RECORD 


EN 


COUNT 


FILES 


MISC 


E TIME 
AT NODE 
TO NODE 
EX NODE 
CLASS 
C. OR P 
E NEXT 
D; 


VARIABLES 


ERS: 


CLASS1 CNT 
CLASS2 CNT 


C STRTSTP 
HI VALUES 


MAX IN BUFFER 


MSGS 
PCKTS 

P STRTSTP 
SMSGS 
SPCKTS 


DFILE 
UFILE 


VARIABLES 


ERROR LEVEL 
EVENT Q LEN 


IO STATUS 
LCNT 
MAX PCKTS 


MODULE NAME : 


PCKT NUM 


PCKTS IN MSG: 


RDT 


REAL; 
INTEGER; 
INTEGER; 
INTEGER; 
INTEGER; 
CHAR; 


LENÉ : 


( 
( 
( 
( 
( 
( 


GIVES PROBABILITY MSG 
IS <= ZPKTS LONG 

(O REPRESENTS 10 PKTS 
THESE VALUES CHOSEN 
TO MEET REQUIREMENT THAT ) 
MSG BE LEN 1 50% OF TIME.) 


МР ме ме ме ww 


EVENT TIME; SORT KEY } 
CURRENT POSITION: 10-30, 1-7) 
INBOUND DESTINATION NODE 4-7) 
OUTBOUND NODAL SINK 1-3) 
CLASSIPICATION: 1 OR 2 > 
COMPLETE (C) OR PARTIAL (Р)} 


EVENTPTR; ( NEXT RECORD/EVENT >) 


INDEX CORRESONDS TO “RELATIVE” NODE 


: REAL; (NUM MESSAGES ENTERING THE } 
: REAL; ( NETWORK FOR A GIVEN CLASS) 
(ARRAYS TO STORE NODAL INFO:) 


: ARRAY [1..7] OF REAL; (COMPLETE MSGS) 

: ARRAY [1..7] OF REAL; (TEMP FOR MAX) 

> ARRAY [1..7) OF REAL; (MAX PCKTS) 

: ARRAY (1l..7] OF REAL; (TOTAL SEEN) 

: ARRAY [1..7] OF REAL; (TOTAL SEEN) 

s ARRAY [1.-.7] OF REAL; (PARTIAL MSGS} 

: ARRAY [1..7] OF REAL; {MSGS FROM A} 

> ARRAY [1..7] OF REAL; {PCKTS FROM A) 
TEXT; (STATISTICS/DEBUF FILE) 
TEXT; (UNIF-RAND FILE) 
INTEGER; (0 = OK; 9 = ABORT RUN ) 
INTEGER; (TO DETERMINE MAX IN BUPFER) 
INTEGER; { USED IN CLOSE CMD } 
INTEGER; { GENERAL PURPOSE COUNTER > 
INTEGER; { LIMITS MSG LEN } 
ARRAY [1..12] OF CHAR; { DEBUG RMKS ) 
INTEGER; { USED IN MSG GENERATION } 
INTEGER; { USED IN MSG GENERATION >) 


ARRAY [1..20] OF CHAR; 


( RUN REMARKS ) 
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кт 


в. 
“сы 9 
eta 


ws 
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SRC_NODE 
TEM VAL 
U_VALUE 


POINTERS 


ATPTR, END PTR 
HDPTR, TEM PTR 


TIMES 
ELAPS TM 
START TIME 
STOP TIME 
TIME NOW 


WORK ELEMENTS FOR MESSAGES 


WRK E TIME 
WRK AT NODE 
WRK TO NODE 
WRK EX NODE 
WRK CLASS 

WRK C OR P 
WRK E NEXT 
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INTEGER; { USED IR MSG GENERATION >) 
INTEGER;  ( GENERAL PURPOSE TEMP HOLD ) 
REAL; { RESULT OF READ FROM UFILE ) 


EVENTPTR; 
EVENTPTR; 


REAL; { ELAPSED TIME ) 

REAL; ( START DATA COLLECTION ) 

REAL; ( STOP DATA COLLECTION ) 

REAL; ( CURRENT SIMULATION CLOCK TIME } 


REAL; 

INTEGER; ( CURRENT POSITION: 10-30, 1-7) 
INTEGER; ( INBOUND DESTINATION NODE 4-7) 
INTEGER; ( OUTBOUND NODAL SINK 1-3) 
INTEGER; ( CLASSIFICATION: 1 OR 2 } 

CHAR ; ( COMPLETE (C) OR PARTIAL (P)) 
EVENTPTR ; 
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